diff --git a/src/SecurityInsights/.gitattributes b/src/SecurityInsights/.gitattributes new file mode 100644 index 000000000000..2125666142eb --- /dev/null +++ b/src/SecurityInsights/.gitattributes @@ -0,0 +1 @@ +* text=auto \ No newline at end of file diff --git a/src/SecurityInsights/.gitignore b/src/SecurityInsights/.gitignore new file mode 100644 index 000000000000..3c3d57339c8b --- /dev/null +++ b/src/SecurityInsights/.gitignore @@ -0,0 +1,16 @@ +bin +obj +.vs +generated +internal +exports +tools +custom/*.psm1 +custom/autogen-model-cmdlets +test/*-TestResults.xml +/*.ps1 +/*.ps1xml +/*.psm1 +/*.snk +/*.csproj +/*.nuspec \ No newline at end of file diff --git a/src/SecurityInsights/Az.SecurityInsights.psd1 b/src/SecurityInsights/Az.SecurityInsights.psd1 new file mode 100644 index 000000000000..40cc03ef3334 --- /dev/null +++ b/src/SecurityInsights/Az.SecurityInsights.psd1 @@ -0,0 +1,24 @@ +@{ + GUID = '3a0e09d6-7b89-4078-a565-5db26e7455b8' + RootModule = './Az.SecurityInsights.psm1' + ModuleVersion = '1.2.0' + CompatiblePSEditions = 'Core', 'Desktop' + Author = 'Microsoft Corporation' + CompanyName = 'Microsoft Corporation' + Copyright = 'Microsoft Corporation. All rights reserved.' + Description = 'Microsoft Azure PowerShell: SecurityInsights cmdlets' + PowerShellVersion = '5.1' + DotNetFrameworkVersion = '4.7.2' + RequiredAssemblies = './bin/Az.SecurityInsights.private.dll' + FormatsToProcess = './Az.SecurityInsights.format.ps1xml' + FunctionsToExport = 'Get-AzSentinelAlertRule', 'Get-AzSentinelAlertRuleAction', 'Get-AzSentinelAlertRuleTemplate', 'Get-AzSentinelAutomationRule', 'Get-AzSentinelBookmark', 'Get-AzSentinelBookmarkRelation', 'Get-AzSentinelDataConnector', 'Get-AzSentinelEnrichment', 'Get-AzSentinelEntity', 'Get-AzSentinelEntityActivity', 'Get-AzSentinelEntityInsight', 'Get-AzSentinelEntityQuery', 'Get-AzSentinelEntityQueryTemplate', 'Get-AzSentinelEntityRelation', 'Get-AzSentinelEntityTimeline', 'Get-AzSentinelIncident', 'Get-AzSentinelIncidentAlert', 'Get-AzSentinelIncidentBookmark', 'Get-AzSentinelIncidentComment', 'Get-AzSentinelIncidentEntity', 'Get-AzSentinelIncidentRelation', 'Get-AzSentinelMetadata', 'Get-AzSentinelOnboardingState', 'Get-AzSentinelSetting', 'Get-AzSentinelSourceControlRepository', 'Get-AzSentinelThreatIntelligenceIndicator', 'Get-AzSentinelThreatIntelligenceIndicatorMetric', 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery', 'New-AzSentinelAlertRule', 'New-AzSentinelAlertRuleAction', 'New-AzSentinelAutomationRule', 'New-AzSentinelBookmark', 'New-AzSentinelBookmarkRelation', 'New-AzSentinelDataConnector', 'New-AzSentinelEntityQuery', 'New-AzSentinelIncident', 'New-AzSentinelIncidentComment', 'New-AzSentinelIncidentRelation', 'New-AzSentinelIncidentTeam', 'New-AzSentinelOnboardingState', 'Remove-AzSentinelAlertRule', 'Remove-AzSentinelAlertRuleAction', 'Remove-AzSentinelAutomationRule', 'Remove-AzSentinelBookmark', 'Remove-AzSentinelBookmarkRelation', 'Remove-AzSentinelDataConnector', 'Remove-AzSentinelEntityQuery', 'Remove-AzSentinelIncident', 'Remove-AzSentinelIncidentComment', 'Remove-AzSentinelIncidentRelation', 'Remove-AzSentinelOnboardingState', 'Test-AzSentinelDataConnectorCheckRequirement', 'Update-AzSentinelAlertRule', 'Update-AzSentinelAlertRuleAction', 'Update-AzSentinelAutomationRule', 'Update-AzSentinelBookmark', 'Update-AzSentinelBookmarkRelation', 'Update-AzSentinelDataConnector', 'Update-AzSentinelEntityQuery', 'Update-AzSentinelIncident', 'Update-AzSentinelIncidentComment', 'Update-AzSentinelIncidentRelation', 'Update-AzSentinelSetting', '*' + AliasesToExport = '*' + PrivateData = @{ + PSData = @{ + Tags = 'Azure', 'ResourceManager', 'ARM', 'PSModule', 'SecurityInsights' + LicenseUri = 'https://aka.ms/azps-license' + ProjectUri = 'https://github.com/Azure/azure-powershell' + ReleaseNotes = '' + } + } +} diff --git a/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 new file mode 100644 index 000000000000..eeb248cf1f2e --- /dev/null +++ b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 @@ -0,0 +1,682 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Creates or updates the alert rule. +.Description +Creates or updates the alert rule. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertrule +#> +function New-AzSentinelAlertRule { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])] + [CmdletBinding(DefaultParameterSetName = 'FusionMLTI', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter()] + #[Alias('RuleId')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Rule. + ${RuleId}, + + [Parameter(Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind] + # Kind of the the data connection + ${Kind}, + + [Parameter(ParameterSetName = 'FusionMLTI', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertRuleTemplate}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertRuleTemplateName}, + + [Parameter(ParameterSetName = 'FusionMLTI')] + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesFilter}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesExcludeFilter}, + + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName] + ${ProductFilter}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]] + #High, Medium, Low, Informational + ${SeveritiesFilter}, + + [Parameter(ParameterSetName = 'NRT', Mandatory)] + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Query}, + + [Parameter(ParameterSetName = 'NRT', Mandatory)] + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayName}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${SuppressionDuration}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${SuppressionEnabled}, + + [Parameter(ParameterSetName = 'NRT', Mandatory)] + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity] + ${Severity}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + #[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] + [System.String] + #InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack + ${Tactic}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${CreateIncident}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${GroupingConfigurationEnabled}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${ReOpenClosedIncident}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${LookbackDuration}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '"AllEntities"')] + [ValidateSet('AllEntities', 'AnyAlert', 'Selected')] + [System.String] + ${MatchingMethod}, + + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail] + ${GroupByAlertDetail}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [string[]] + ${GroupByCustomDetail}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType] + ${GroupByEntity}, + + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping] + ${EntityMapping}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDescriptionFormat}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDisplayNameFormat}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertSeverityColumnName}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertTacticsColumnName}, + + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryFrequency}, + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryPeriod}, + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator] + ${TriggerOperator}, + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [int] + ${TriggerThreshold}, + + [Parameter(ParameterSetName = 'Scheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind] + ${EventGroupingSettingAggregationKind}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Fusion + if ($PSBoundParameters['Kind'] -eq 'Fusion'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.FusionAlertRule]::new() + + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] + $null = $PSBoundParameters.Remove('AlertRuleTemplate') + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + } + #MSIC + if($PSBoundParameters['Kind'] -eq 'MicrosoftSecurityIncidentCreation'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MicrosoftSecurityIncidentCreationAlertRule]::new() + + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['DisplayNamesFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesFilter') + } + + If($PSBoundParameters['DisplayNamesExcludeFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesExcludeFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesExcludeFilter') + } + + $AlertRule.ProductFilter = $PSBoundParameters['ProductFilter'] + $null = $PSBoundParameters.Remove('ProductFilter') + + If($PSBoundParameters['SeveritiesFilter']){ + $AlertRule.Enabled = $PSBoundParameters['SeveritiesFilter'] + $null = $PSBoundParameters.Remove('SeveritiesFilter') + } + } + #ML + if ($PSBoundParameters['Kind'] -eq 'MLBehaviorAnalytics'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MlBehaviorAnalyticsAlertRule]::new() + + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] + $null = $PSBoundParameters.Remove('AlertRuleTemplate') + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + } + + #NRT + if($PSBoundParameters['Kind'] -eq 'NRT'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.NrtAlertRule]::new() + + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $PSBoundParameters['SuppressionEnabled'] + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['CreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $PSBoundParameters['CreateIncident'] + $null = $PSBoundParameters.Remove('CreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['GroupingConfigurationEnabled']){ + $AlertRule.GroupingConfigurationEnabled = $PSBoundParameters['GroupingConfigurationEnabled'] + $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident'] + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + } + #Scheduled + if ($PSBoundParameters['Kind'] -eq 'Scheduled'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ScheduledAlertRule]::new() + + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Description = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $PSBoundParameters['SuppressionEnabled'] + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['CreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $PSBoundParameters['CreateIncident'] + $null = $PSBoundParameters.Remove('CreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['GroupingConfigurationEnabled']){ + $AlertRule.GroupingConfigurationEnabled = $PSBoundParameters['GroupingConfigurationEnabled'] + $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident'] + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + $AlertRule.QueryFrequency = $PSBoundParameters['QueryFrequency'] + $null = $PSBoundParameters.Remove('QueryFrequency') + + $AlertRule.QueryPeriod = $PSBoundParameters['QueryPeriod'] + $null = $PSBoundParameters.Remove('QueryPeriod') + + $AlertRule.TriggerOperator = $PSBoundParameters['TriggerOperator'] + $null = $PSBoundParameters.Remove('TriggerOperator') + + $AlertRule.TriggerThreshold = $PSBoundParameters['TriggerThreshold'] + $null = $PSBoundParameters.Remove('TriggerThreshold') + + If($PSBoundParameters['EventGroupingSettingAggregationKind']){ + $AlertRule.EventGroupingSettingAggregationKind = $PSBoundParameters['EventGroupingSettingAggregationKind'] + $null = $PSBoundParameters.Remove('EventGroupingSettingAggregationKind') + } + } + #TI + if ($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ThreatIntelligenceAlertRule]::new() + + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] + $null = $PSBoundParameters.Remove('AlertRuleTemplate') + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + + $null = $PSBoundParameters.Remove('FusionMLTI') + + $AlertRule.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Add('AlertRule', $AlertRule) + + Az.SecurityInsights.internal\New-AzSentinelAlertRule @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 new file mode 100644 index 000000000000..9880df269994 --- /dev/null +++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 @@ -0,0 +1,708 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Creates or updates the data connector. +.Description +Creates or updates the data connector. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentineldataconnector +#> +function New-AzSentinelDataConnector { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])] + [CmdletBinding(DefaultParameterSetName = 'AADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Data Connector. + ${DataConnectorId}, + + [Parameter(Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind] + # Kind of the the data connection + ${Kind}, + + [Parameter(ParameterSetName = 'AADAATP')] + [Parameter(ParameterSetName = 'Dynamics365')] + [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'MicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'Office365')] + [Parameter(ParameterSetName = 'OfficeATP')] + [Parameter(ParameterSetName = 'OfficeIRM')] + [Parameter(ParameterSetName = 'ThreatIntelligence')] + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')] + [System.String] + # The TenantId. + ${TenantId}, + + [Parameter(ParameterSetName = 'AzureSecurityCenter', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # ASC Subscription Id. + ${ASCSubscriptionId}, + + [Parameter(ParameterSetName = 'AADAATP')] + [Parameter(ParameterSetName = 'AzureSecurityCenter')] + [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'OfficeATP')] + [Parameter(ParameterSetName = 'OfficeIRM')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Alerts}, + + [Parameter(ParameterSetName = 'Dynamics365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CommonDataServiceActivity}, + + [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DiscoveryLogs}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${BingSafetyPhishingURL}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${BingSafetyPhishingUrlLookbackPeriod}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${MicrosoftEmergingThreatFeed}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${MicrosoftEmergingThreatFeedLookbackPeriod}, + + [Parameter(ParameterSetName = 'MicrosoftThreatProtection')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Incidents}, + + [Parameter(ParameterSetName = 'Office365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Exchange}, + + [Parameter(ParameterSetName = 'Office365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${SharePoint}, + + [Parameter(ParameterSetName = 'Office365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Teams}, + + [Parameter(ParameterSetName = 'ThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Indicators}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${WorkspaceId}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${FriendlyName}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${APIRootURL}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CollectionId}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UserName}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Password}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${TaxiiLookbackPeriod}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency] + ${PollingFrequency}, + + [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AWSRoleArn}, + + [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Logs}, + + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${SQSURL}, + + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DetinationTable}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigTitle}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigPublisher}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigDescriptionMarkdown}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigCustomImage}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigGraphQueriesTableName}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]] + ${UiConfigGraphQuery}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]] + ${UiConfigSampleQuery}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]] + ${UiConfigDataType}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]] + ${UiConfigConnectivityCriterion}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Bool] + ${AvailabilityIsPreview}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 1)] + [Int] + ${AvailabilityStatus}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]] + ${PermissionResourceProvider}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]] + ${PermissionCustom}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]] + ${UiConfigInstructionStep}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'Dynamics365'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365DataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['CommonDataServiceActivity']){ + $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity'] + $null = $PSBoundParameters.Remove('CommonDataServiceActivity') + } + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.McasDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.DataTypeAlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + + If($PSBoundParameters['DiscoveryLogs']){ + $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLogs'] + $null = $PSBoundParameters.Remove('DiscoveryLogs') + } + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MdatpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MstiDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['BingSafetyPhishingURL']){ + $DataConnector.BingSafetyPhishingUrlState = $PSBoundParameters['BingSafetyPhishingURL'] + $null = $PSBoundParameters.Remove('BingSafetyPhishingURL') + } + + If($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod']){ + if($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneDay'){ + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'All') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('BingSafetyPhishingUrlLookbackPeriod') + } + else{ + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + + If($PSBoundParameters['MicrosoftEmergingThreatFeed']){ + $DataConnector.MicrosoftEmergingThreatFeedState = $PSBoundParameters['MicrosoftEmergingThreatFeed'] + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeed') + } + + If($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod']){ + if($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneDay'){ + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'All') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod') + } + else{ + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + } + + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Incidents']){ + $DataConnector.IncidentState = $PSBoundParameters['Incidents'] + $null = $PSBoundParameters.Remove('Incidents') + } + } + if($PSBoundParameters['Kind'] -eq 'Office365'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Exchange']){ + $DataConnector.ExchangeState = $PSBoundParameters['Exchange'] + $null = $PSBoundParameters.Remove('Exchange') + } + + If($PSBoundParameters['SharePoint']){ + $DataConnector.SharePointState = $PSBoundParameters['SharePoint'] + $null = $PSBoundParameters.Remove('SharePoint') + } + + If($PSBoundParameters['Teams']){ + $DataConnector.TeamState = $PSBoundParameters['Teams'] + $null = $PSBoundParameters.Remove('Teams') + } + } + if($PSBoundParameters['Kind'] -eq 'OfficeATP'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeAtpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + $DataConnector.TipLookbackPeriod = "1970-01-01T00:00:00.000Z" + + If($PSBoundParameters['Indicators']){ + $DataConnector.IndicatorState = $PSBoundParameters['Indicators'] + $null = $PSBoundParameters.Remove('Indicators') + } + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + $DataConnector.FriendlyName = $PSBoundParameters['FriendlyName'] + $null = $PSBoundParameters.Remove('FriendlyName') + + $DataConnector.TaxiiServer = $PSBoundParameters['APIRootURL'] + $null = $PSBoundParameters.Remove('APIRootURL') + + $DataConnector.CollectionId = $PSBoundParameters['CollectionId'] + $null = $PSBoundParameters.Remove('CollectionId') + + If($PSBoundParameters['UserName']){ + $DataConnector.UserName = $PSBoundParameters['UserName'] + $null = $PSBoundParameters.Remove('UserName') + } + + If($PSBoundParameters['Password']){ + $DataConnector.Password = $PSBoundParameters['Password'] + $null = $PSBoundParameters.Remove('Password') + } + + $DataConnector.WorkspaceId = $PSBoundParameters['WorkspaceId'] + $null = $PSBoundParameters.Remove('WorkspaceId') + + + if($PSBoundParameters['PollingFrequency'] -eq 'OnceADay'){ + $DataConnector.PollingFrequency = "OnceADay" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAMinute') { + $DataConnector.PollingFrequency = "OnceAMinute" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAnHour') { + $DataConnector.PollingFrequency = "OnceAnHour" + } + $null = $PSBoundParameters.Remove('PollingFrequency') + + } + + if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AscDataConnector]::new() + + $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] + $null = $PSBoundParameters.Remove('ASCSubscriptionId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new() + + $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + + If($PSBoundParameters['Logs']){ + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + } + if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new() + + $DataConnector.RoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + + If($PSBoundParameters['Logs']){ + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + + $DataConnector.SqsUrl = $PSBoundParameters['SQSURL'] + $null = $PSBoundParameters.Remove('SQSURL') + + $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable'] + $null = $PSBoundParameters.Remove('DetinationTable') + } + if($PSBoundParameters['Kind'] -eq 'GenericUI'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CodelessUiDataConnector]::new() + + $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle'] + $null = $PSBoundParameters.Remove('UiConfigTitle') + + $DataConnector.ConnectorUiConfigPublisher = $PSBoundParameters['UiConfigPublisher'] + $null = $PSBoundParameters.Remove('UiConfigPublisher') + + $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown'] + $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown') + + If($PSBoundParameters['Logs']){ + $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage'] + $null = $PSBoundParameters.Remove('UiConfigCustomImage') + } + + $DataConnector.ConnectorUiConfigGraphQueriesTableName = $PSBoundParameters['UiConfigGraphQueriesTableName'] + $null = $PSBoundParameters.Remove('UiConfigGraphQueriesTableName') + + $DataConnector.ConnectorUiConfigGraphQuery = $PSBoundParameters['UiConfigGraphQuery'] + $null = $PSBoundParameters.Remove('UiConfigGraphQuery') + + $DataConnector.ConnectorUiConfigSampleQuery = $PSBoundParameters['UiConfigSampleQuery'] + $null = $PSBoundParameters.Remove('UiConfigSampleQuery') + + $DataConnector.ConnectorUiConfigDataType = $PSBoundParameters['UiConfigDataType'] + $null = $PSBoundParameters.Remove('UiConfigDataType') + + $DataConnector.ConnectorUiConfigConnectivityCriterion = $PSBoundParameters['UiConfigConnectivityCriterion'] + $null = $PSBoundParameters.Remove('UiConfigConnectivityCriterion') + + $DataConnector.AvailabilityIsPreview = $PSBoundParameters['AvailabilityIsPreview'] + $null = $PSBoundParameters.Remove('AvailabilityIsPreview') + + If($PSBoundParameters['AvailabilityStatus']){ + $DataConnector.AvailabilityStatus = $PSBoundParameters['AvailabilityStatus'] + $null = $PSBoundParameters.Remove('AvailabilityStatus') + } + + If($PSBoundParameters['PermissionResourceProvider']){ + $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionResourceProvider'] + $null = $PSBoundParameters.Remove('PermissionResourceProvider') + } + ElseIf($PSBoundParameters['PermissionCustom']){ + $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionCustom'] + $null = $PSBoundParameters.Remove('PermissionCustom') + } + Else { + Write-Host -ForegroundColor Red "You must provide either a Resource Provider Permission or Custom Permissions" + break + } + + $DataConnector.ConnectorUiConfigInstructionStep = $PSBoundParameters['UiConfigInstructionStep'] + $null = $PSBoundParameters.Remove('UiConfigInstructionStep') + + } + + $DataConnector.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Remove('DataConnector') + $null = $PSBoundParameters.Add('DataConnector', $DataConnector) + + Az.SecurityInsights.internal\New-AzSentinelDataConnector @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 new file mode 100644 index 000000000000..288fea99923f --- /dev/null +++ b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 @@ -0,0 +1,216 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Creates or updates the entity query. +.Description +Creates or updates the entity query. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery +#> +function New-AzSentinelEntityQuery { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])] + [CmdletBinding(DefaultParameterSetName = 'Activity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Entity Query. + ${EntityQueryId}, + + [Parameter(Mandatory)] + [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + # Kind of the the Entity Query + ${Kind}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Title}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Content}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${QueryDefinitionQuery}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType] + ${InputEntityType}, + + [Parameter(ParameterSetName = 'Activity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${RequiredInputFieldsSet}, + + [Parameter(ParameterSetName = 'Activity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter] + ${EntitiesFilter}, + + [Parameter(ParameterSetName = 'Activity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${TemplateName}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + + if ($PSBoundParameters['Kind'] -eq 'Activity'){ + $EntityQuery = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityCustomEntityQuery]::new() + + $EntityQuery.Title = $PSBoundParameters['Title'] + $null = $PSBoundParameters.Remove('Title') + + $EntityQuery.Content = $PSBoundParameters['Content'] + $null = $PSBoundParameters.Remove('Content') + + $EntityQuery.Description = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + + $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery'] + $null = $PSBoundParameters.Remove('QueryDefinitionQuery') + + $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType'] + $null = $PSBoundParameters.Remove('InputEntityType') + + If($PSBoundParameters['RequiredInputFieldsSet']){ + $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet'] + $null = $PSBoundParameters.Remove('RequiredInputFieldsSet') + } + + If($PSBoundParameters['EntitiesFilter']){ + $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter'] + $null = $PSBoundParameters.Remove('EntitiesFilter') + } + + If($PSBoundParameters['TemplateName']){ + $EntityQuery.TemplateName = $PSBoundParameters['TemplateName'] + $null = $PSBoundParameters.Remove('TemplateName') + } + } + else { + Write-Error "This cmdlet only works with Entity Queries of the Activity kind." + break + } + + #$EntityQuery.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery) + + Az.SecurityInsights.internal\New-AzSentinelEntityQuery @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/README.md b/src/SecurityInsights/custom/README.md new file mode 100644 index 000000000000..403330afa28c --- /dev/null +++ b/src/SecurityInsights/custom/README.md @@ -0,0 +1,41 @@ +# Custom +This directory contains custom implementation for non-generated cmdlets for the `Az.SecurityInsights` module. Both scripts (`.ps1`) and C# files (`.cs`) can be implemented here. They will be used during the build process in `build-module.ps1`, and create cmdlets into the `../exports` folder. The only generated file into this folder is the `Az.SecurityInsights.custom.psm1`. This file should not be modified. + +## Info +- Modifiable: yes +- Generated: partial +- Committed: yes +- Packaged: yes + +## Details +For `Az.SecurityInsights` to use custom cmdlets, it does this two different ways. We **highly recommend** creating script cmdlets, as they are easier to write and allow access to the other exported cmdlets. C# cmdlets *cannot access exported cmdlets*. + +For C# cmdlets, they are compiled with the rest of the generated low-level cmdlets into the `./bin/Az.SecurityInsights.private.dll`. The names of the cmdlets (methods) and files must follow the `[cmdletName]_[variantName]` syntax used for generated cmdlets. The `variantName` is used as the `ParameterSetName`, so use something appropriate that doesn't clash with already created variant or parameter set names. You cannot use the `ParameterSetName` property in the `Parameter` attribute on C# cmdlets. Each cmdlet must be separated into variants using the same pattern as seen in the `generated/cmdlets` folder. + +For script cmdlets, these are loaded via the `Az.SecurityInsights.custom.psm1`. Then, during the build process, this module is loaded and processed in the same manner as the C# cmdlets. The fundamental difference is the script cmdlets use the `ParameterSetName` attribute and C# cmdlets do not. To create a script cmdlet variant of a generated cmdlet, simply decorate all parameters in the script with the new `ParameterSetName` in the `Parameter` attribute. This will appropriately treat each parameter set as a separate variant when processed to be exported during the build. + +## Purpose +This allows the modules to have cmdlets that were not defined in the REST specification. It also allows combining logic using generated cmdlets. This is a level of customization beyond what can be done using the [readme configuration options](https://github.com/Azure/autorest/blob/master/docs/powershell/options.md) that are currently available. These custom cmdlets are then referenced by the cmdlets created at build-time in the `../exports` folder. + +## Usage +The easiest way currently to start developing custom cmdlets is to copy an existing cmdlet. For C# cmdlets, copy one from the `generated/cmdlets` folder. For script cmdlets, build the project using `build-module.ps1` and copy one of the scripts from the `../exports` folder. After that, if you want to add new parameter sets, follow the guidelines in the `Details` section above. For implementing a new cmdlets, at minimum, please keep these parameters: +- Break +- DefaultProfile +- HttpPipelineAppend +- HttpPipelinePrepend +- Proxy +- ProxyCredential +- ProxyUseDefaultCredentials + +These provide functionality to our HTTP pipeline and other useful features. In script, you can forward these parameters using `$PSBoundParameters` to the other cmdlets you're calling within `Az.SecurityInsights`. For C#, follow the usage seen in the `ProcessRecordAsync` method. + +### Attributes +For processing the cmdlets, we've created some additional attributes: +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DescriptionAttribute` + - Used in C# cmdlets to provide a high-level description of the cmdlet. This is propagated to reference documentation via [help comments](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comment_based_help) in the exported scripts. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DoNotExportAttribute` + - Used in C# and script cmdlets to suppress creating an exported cmdlet at build-time. These cmdlets will *not be exposed* by `Az.SecurityInsights`. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.InternalExportAttribute` + - Used in C# cmdlets to route exported cmdlets to the `../internal`, which are *not exposed* by `Az.SecurityInsights`. For more information, see [README.md](../internal/README.md) in the `../internal` folder. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.ProfileAttribute` + - Used in C# and script cmdlets to define which Azure profiles the cmdlet supports. This is only supported for Azure (`--azure`) modules. \ No newline at end of file diff --git a/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 b/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 new file mode 100644 index 000000000000..97e1b698a2d2 --- /dev/null +++ b/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 @@ -0,0 +1,219 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Get requirements state for a data connector type. +.Description +Get requirements state for a data connector type. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/test-azsentineldataconnectorcheckrequirement +#> +function Test-AzSentinelDataConnectorCheckRequirement { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements])] + [CmdletBinding(DefaultParameterSetName = 'AADTenant', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind] + # Kind of the the data connection + ${Kind}, + + + [Parameter(ParameterSetName = 'AADTenant')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')] + [System.String] + # The TenantId. + ${TenantId}, + + [Parameter(ParameterSetName = 'AzureSecurityCenter', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # ASC Subscription Id. + ${ASCSubscriptionId}, + + #[Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] + #[Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + #[Parameter(ParameterSetName = 'GenericUI', Mandatory)] + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + + if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'Dynamics365'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365CheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MCASCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MDATPCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MSTICheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + #if($PSBoundParameters['Kind'] -eq 'Office365'){ + # $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Office365CheckRequirements]::new() + # $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + # $null = $PSBoundParameters.Remove('TenantId') + #} + if($PSBoundParameters['Kind'] -eq 'OfficeATP'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeATPCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TICheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ASCCheckRequirements]::new() + $DataConnectorCheckRequirement.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] + $null = $PSBoundParameters.Remove('ASCSubscriptionId') + } + #if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){} + #if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){} + #if($PSBoundParameters['Kind'] -eq 'GenericUI'){} + + $DataConnectorCheckRequirement.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Add('DataConnectorCheckRequirement', $DataConnectorCheckRequirement) + + Az.SecurityInsights.internal\Test-AzSentinelDataConnectorCheckRequirement @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 new file mode 100644 index 000000000000..815f4636d80e --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 @@ -0,0 +1,814 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates the alert rule. +.Description +Updates the alert rule. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/Update-azsentinelalertrule +#> +function Update-AzSentinelAlertRule { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])] + [CmdletBinding(DefaultParameterSetName = 'UpdateScheduled', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + #[Alias('RuleId')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of Operational Insights Resource Provider. + ${RuleId}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${FusionMLorTI}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${MicrosoftSecurityIncidentCreation}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${NRT}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${Scheduled}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertRuleTemplateName}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesFilter}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesExcludeFilter}, + + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName] + ${ProductFilter}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]] + #High, Medium, Low, Informational + ${SeveritiesFilter}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Query}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayName}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${SuppressionDuration}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${SuppressionEnabled}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity] + ${Severity}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] + [System.String] + ${Tactic}, + + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${CreateIncident}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${GroupingConfigurationEnabled}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${ReOpenClosedIncident}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${LookbackDuration}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '"AllEntities"')] + [ValidateSet('AllEntities', 'AnyAlert', 'Selected')] + [System.String] + ${MatchingMethod}, + + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail] + ${GroupByAlertDetail}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [string[]] + ${GroupByCustomDetail}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType] + ${GroupByEntity}, + + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping] + ${EntityMapping}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDescriptionFormat}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDisplayNameFormat}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertSeverityColumnName}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertTacticsColumnName}, + + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryFrequency}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryPeriod}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator] + ${TriggerOperator}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [int] + ${TriggerThreshold}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind] + ${EventGroupingSettingAggregationKind}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + $null = $PSBoundParameters.Remove('FusionMLorTI') + $null = $PSBoundParameters.Remove('MicrosoftSecurityIncidentCreation') + $null = $PSBoundParameters.Remove('NRT') + $null = $PSBoundParameters.Remove('Scheduled') + #Handle Get + $GetPSBoundParameters = @{} + if($PSBoundParameters['InputObject']){ + $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject']) + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $GetPSBoundParameters.Add('RuleId', $PSBoundParameters['RuleId']) + } + $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule @GetPSBoundParameters + + #Fusion + if ($AlertRule.Kind -eq 'Fusion'){ + If($PSBoundParameters['AlertTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + #MSIC + if($AlertRule.Kind -eq 'MicrosoftSecurityIncidentCreation'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['DisplayNamesFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesFilter') + } + + If($PSBoundParameters['DisplayNamesExcludeFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesExcludeFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesExcludeFilter') + } + + If($PSBoundParameters['ProductFilter']){ + $AlertRule.ProductFilter = $PSBoundParameters['ProductFilter'] + $null = $PSBoundParameters.Remove('ProductFilter') + } + + If($PSBoundParameters['SeveritiesFilter']){ + $Parameter.Enabled = $PSBoundParameters['SeveritiesFilter'] + $null = $PSBoundParameters.Remove('SeveritiesFilter') + } + } + #ML + if ($AlertRule.Kind -eq 'MLBehaviorAnalytics'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + + #NRT + if($AlertRule.Kind -eq 'NRT'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.Enabled = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $PSBoundParameters['Enabled'] + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['Query']){ + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + } + + If($PSBoundParameters['DisplayName']){ + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + } + + If($PSBoundParameters['SuppressionDuration']){ + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + } + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $true + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + If($PSBoundParameters['Severity']){ + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + } + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['IncidentConfigurationCreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $true + $null = $PSBoundParameters.Remove('IncidentConfigurationCreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.GroupingConfigurationEnabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $true + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + If($PSBoundParameters['LookbackDuration']){ + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + } + + If($PSBoundParameters['LookbackDuration']){ + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + } + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + } + #Scheduled + if ($AlertRule.Kind -eq 'Scheduled'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.Enabled = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $PSBoundParameters['Enabled'] + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['Query']){ + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + } + + If($PSBoundParameters['DisplayName']){ + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + } + + If($PSBoundParameters['SuppressionDuration']){ + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + } + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $true + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + If($PSBoundParameters['Severity']){ + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + } + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['CreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $true + $null = $PSBoundParameters.Remove('CreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['GroupingConfigurationEnabled']){ + $AlertRule.GroupingConfigurationEnabled = $true + $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident'] + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + If($PSBoundParameters['LookbackDuration']){ + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + } + + If($PSBoundParameters['MatchingMethod']){ + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + } + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + If($PSBoundParameters['QueryFrequency']){ + $AlertRule.QueryFrequency = $PSBoundParameters['QueryFrequency'] + $null = $PSBoundParameters.Remove('QueryFrequency') + } + + If($PSBoundParameters['QueryPeriod']){ + $AlertRule.QueryPeriod = $PSBoundParameters['QueryPeriod'] + $null = $PSBoundParameters.Remove('QueryPeriod') + } + + If($PSBoundParameters['TriggerOperator']){ + $AlertRule.TriggerOperator = $PSBoundParameters['TriggerOperator'] + $null = $PSBoundParameters.Remove('TriggerOperator') + } + + If($PSBoundParameters['TriggerThreshold']){ + $AlertRule.TriggerThreshold = $PSBoundParameters['TriggerThreshold'] + $null = $PSBoundParameters.Remove('TriggerThreshold') + } + + If($PSBoundParameters['EventGroupingSettingAggregationKind']){ + $AlertRule.EventGroupingSettingAggregationKind = $PSBoundParameters['EventGroupingSettingAggregationKind'] + $null = $PSBoundParameters.Remove('EventGroupingSettingAggregationKind') + } + } + #TI + if ($AlertRule.Kind -eq 'ThreatIntelligence'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + + $null = $PSBoundParameters.Add('AlertRule', $AlertRule) + + Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 new file mode 100644 index 000000000000..ac285003f984 --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 @@ -0,0 +1,831 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates the data connector. +.Description +Updates the data connector. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentineldataconnector +#> +function Update-AzSentinelDataConnector { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])] + [CmdletBinding(DefaultParameterSetName = 'UpdateAADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateAADAATP')] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateDynamics365')] + #[Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateOfficeATP')] + [Parameter(ParameterSetName = 'UpdateOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Id of the Data Connector. + ${DataConnectorId}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365', Mandatory, ValueFromPipeline)] + #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + [Parameter(ParameterSetName = 'UpdateAADAATP')] + [Parameter(ParameterSetName = 'UpdateDynamics365')] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateOfficeATP')] + [Parameter(ParameterSetName = 'UpdateOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')] + #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')] + [System.String] + # The TenantId. + ${TenantId}, + + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # ASC Subscription Id. + ${ASCSubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateAADAATP')] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateOfficeATP')] + [Parameter(ParameterSetName = 'UpdateOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Alerts}, + + [Parameter(ParameterSetName = 'UpdateDynamics365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CommonDataServiceActivity}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DiscoveryLogs}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${BingSafetyPhishinURL}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${BingSafetyPhishingUrlLookbackPeriod}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${MicrosoftEmergingThreatFeed}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${MicrosoftEmergingThreatFeedLookbackPeriod}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Incidents}, + + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Exchange}, + + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${SharePoint}, + + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Teams}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Indicators}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${WorkspaceId}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${FriendlyName}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${APIRootURL}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CollectionId}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UserName}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Password}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${TaxiiLookbackPeriod}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency] + ${PollingFrequency}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AWSRoleArn}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Logs}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${SQSURL}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DetinationTable}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigTitle}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigPublisher}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigDescriptionMarkdown}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigCustomImage}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigGraphQueriesTableName}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]] + ${UiConfigGraphQuery}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]] + ${UiConfigSampleQuery}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]] + ${UiConfigDataType}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]] + ${UiConfigConnectivityCriterion}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Bool] + ${AvailabilityIsPreview}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 1)] + [Int] + ${AvailabilityStatus}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]] + ${PermissionResourceProvider}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]] + ${PermissionCustom}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]] + ${UiConfigInstructionStep}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Handle Get + $GetPSBoundParameters = @{} + if ($PSBoundParameters['InputObject']) { + $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject']) + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $GetPSBoundParameters.Add('DataConnectorId', $PSBoundParameters['DataConnectorId']) + } + $DataConnector = Az.SecurityInsights\Get-AzSentinelDataConnector @GetPSBoundParameters + + + if ($DataConnector.Kind -eq 'AzureActiveDirectory') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'AzureAdvancedThreatProtection') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'Dynamics365') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['CommonDataServiceActivity']) { + $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity'] + $null = $PSBoundParameters.Remove('CommonDataServiceActivity') + } + } + if ($DataConnector.Kind -eq 'MicrosoftCloudAppSecurity') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.DataTypeAlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + + If ($PSBoundParameters['DiscoveryLogs']) { + $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLogs'] + $null = $PSBoundParameters.Remove('DiscoveryLogs') + } + } + if ($DataConnector.Kind -eq 'MicrosoftDefenderAdvancedThreatProtection') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'MicrosoftThreatIntelligence') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['BingSafetyPhishinURL']) { + $DataConnector.BingSafetyPhishingUrlState = $PSBoundParameters['BingSafetyPhishinURL'] + $null = $PSBoundParameters.Remove('BingSafetyPhishinURL') + } + + If ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod']) { + if ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneDay') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'All') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('BingSafetyPhishingUrlLookbackPeriod') + } + + If ($PSBoundParameters['MicrosoftEmergingThreatFeed']) { + $DataConnector.MicrosoftEmergingThreatFeedState = $PSBoundParameters['MicrosoftEmergingThreatFeed'] + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeed') + } + + If ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod']) { + if ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneDay') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'All') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod') + } + } + if ($DataConnector.Kind -eq 'MicrosoftThreatProtection') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Incidents']) { + $DataConnector.IncidentState = $PSBoundParameters['Incidents'] + $null = $PSBoundParameters.Remove('Incidents') + } + } + if ($DataConnector.Kind -eq 'Office365') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Exchange']) { + $DataConnector.ExchangeState = $PSBoundParameters['Exchange'] + $null = $PSBoundParameters.Remove('Exchange') + } + + If ($PSBoundParameters['SharePoint']) { + $DataConnector.SharePointState = $PSBoundParameters['SharePoint'] + $null = $PSBoundParameters.Remove('SharePoint') + } + + If ($PSBoundParameters['Teams']) { + $DataConnector.TeamState = $PSBoundParameters['Teams'] + $null = $PSBoundParameters.Remove('Teams') + } + } + if ($DataConnector.Kind -eq 'OfficeATP') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'OfficeIRM') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'ThreatIntelligence') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Indicators']) { + $DataConnector.IndicatorState = $PSBoundParameters['Indicators'] + $null = $PSBoundParameters.Remove('Indicators') + } + } + if ($DataConnector.Kind -eq 'ThreatIntelligenceTaxii') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['FriendlyName']) { + $DataConnector.FriendlyName = $PSBoundParameters['FriendlyName'] + $null = $PSBoundParameters.Remove('FriendlyName') + } + + If ($PSBoundParameters['APIRootURL']) { + $DataConnector.TaxiiServer = $PSBoundParameters['APIRootURL'] + $null = $PSBoundParameters.Remove('APIRootURL') + } + + If ($PSBoundParameters['CollectionId']) { + $DataConnector.CollectionId = $PSBoundParameters['CollectionId'] + $null = $PSBoundParameters.Remove('CollectionId') + } + + If ($PSBoundParameters['UserName']) { + $DataConnector.UserName = $PSBoundParameters['UserName'] + $null = $PSBoundParameters.Remove('UserName') + } + + If ($PSBoundParameters['Password']) { + $DataConnector.Password = $PSBoundParameters['Password'] + $null = $PSBoundParameters.Remove('Password') + } + + If ($PSBoundParameters['WorkspaceId']) { + $DataConnector.WorkspaceId = $PSBoundParameters['WorkspaceId'] + $null = $PSBoundParameters.Remove('WorkspaceId') + } + + if ($PSBoundParameters['PollingFrequency']) { + if ($PSBoundParameters['PollingFrequency'] -eq 'OnceADay') { + $DataConnector.PollingFrequency = "OnceADay" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAMinute') { + $DataConnector.PollingFrequency = "OnceAMinute" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAnHour') { + $DataConnector.PollingFrequency = "OnceAnHour" + } + $null = $PSBoundParameters.Remove('PollingFrequency') + } + } + if ($DataConnector.Kind -eq 'AzureSecurityCenter') { + If ($PSBoundParameters['ASCSubscriptionId']) { + $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] + $null = $PSBoundParameters.Remove('ASCSubscriptionId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'AmazonWebServicesCloudTrail') { + If ($PSBoundParameters['AWSRoleArn']) { + $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + } + + If ($PSBoundParameters['Logs']) { + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + } + if ($DataConnector.Kind -eq 'AmazonWebServicesS3') { + If ($PSBoundParameters['AWSRoleArn']) { + $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + } + + If ($PSBoundParameters['Logs']) { + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + + If ($PSBoundParameters['SQSURL']) { + $DataConnector.SqsUrl = $PSBoundParameters['SQSURL'] + $null = $PSBoundParameters.Remove('SQSURL') + } + If ($PSBoundParameters['DetinationTable']) { + $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable'] + $null = $PSBoundParameters.Remove('DetinationTable') + } + } + if ($DataConnector.Kind -eq 'GenericUI') { + If ($PSBoundParameters['UiConfigTitle']) { + $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle'] + $null = $PSBoundParameters.Remove('UiConfigTitle') + } + If ($PSBoundParameters['UiConfigPublisher']) { + $DataConnector.ConnectorUiConfigPublisher = $PSBoundParameters['UiConfigPublisher'] + $null = $PSBoundParameters.Remove('UiConfigPublisher') + } + If ($PSBoundParameters['UiConfigDescriptionMarkdown']) { + $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown'] + $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown') + } + If ($PSBoundParameters['UiConfigCustomImage']) { + $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage'] + $null = $PSBoundParameters.Remove('UiConfigCustomImage') + } + If ($PSBoundParameters['UiConfigGraphQueriesTableName']) { + $DataConnector.ConnectorUiConfigGraphQueriesTableName = $PSBoundParameters['UiConfigGraphQueriesTableName'] + $null = $PSBoundParameters.Remove('UiConfigGraphQueriesTableName') + } + If ($PSBoundParameters['UiConfigGraphQuery']) { + $DataConnector.ConnectorUiConfigGraphQuery = $PSBoundParameters['UiConfigGraphQuery'] + $null = $PSBoundParameters.Remove('UiConfigGraphQuery') + } + If ($PSBoundParameters['UiConfigSampleQuery']) { + $DataConnector.ConnectorUiConfigSampleQuery = $PSBoundParameters['UiConfigSampleQuery'] + $null = $PSBoundParameters.Remove('UiConfigSampleQuery') + } + If ($PSBoundParameters['UiConfigDataType']) { + $DataConnector.ConnectorUiConfigDataType = $PSBoundParameters['UiConfigDataType'] + $null = $PSBoundParameters.Remove('UiConfigDataType') + } + If ($PSBoundParameters['UiConfigConnectivityCriterion']) { + $DataConnector.ConnectorUiConfigConnectivityCriterion = $PSBoundParameters['UiConfigConnectivityCriterion'] + $null = $PSBoundParameters.Remove('UiConfigConnectivityCriterion') + } + If ($PSBoundParameters['AvailabilityIsPreview']) { + $DataConnector.AvailabilityIsPreview = $PSBoundParameters['AvailabilityIsPreview'] + $null = $PSBoundParameters.Remove('AvailabilityIsPreview') + } + If ($PSBoundParameters['AvailabilityStatus']) { + $DataConnector.AvailabilityStatus = $PSBoundParameters['AvailabilityStatus'] + $null = $PSBoundParameters.Remove('AvailabilityStatus') + } + If ($PSBoundParameters['PermissionResourceProvider']) { + $DataConnector.PermissionResourceProvider = $PSBoundParameters['PermissionResourceProvider'] + $null = $PSBoundParameters.Remove('PermissionResourceProvider') + } + If ($PSBoundParameters['PermissionCustom']) { + $DataConnector.DestinationTable = $PSBoundParameters['PermissionCustom'] + $null = $PSBoundParameters.Remove('PermissionCustom') + } + If ($PSBoundParameters['UiConfigInstructionStep']) { + $DataConnector.ConnectorUiConfigInstructionStep = $PSBoundParameters['UiConfigInstructionStep'] + $null = $PSBoundParameters.Remove('UiConfigInstructionStep') + } + } + + $null = $PSBoundParameters.Add('DataConnector', $DataConnector) + Az.SecurityInsights.internal\Update-AzSentinelDataConnector @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 new file mode 100644 index 000000000000..9ba61bf4ccac --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 @@ -0,0 +1,262 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates the entity query. +.Description +Updates the entity query. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelentityquery +#> +function Update-AzSentinelEntityQuery { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])] + [CmdletBinding(DefaultParameterSetName = 'UpdateActivity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Id of the Entity Query. + ${EntityQueryId}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Title}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Content}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${QueryDefinitionQuery}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType] + ${InputEntityType}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${RequiredInputFieldsSet}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter] + ${EntitiesFilter}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${TemplateName}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Disabled}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Handle Get + $GetPSBoundParameters = @{} + if($PSBoundParameters['InputObject']){ + $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject']) + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $GetPSBoundParameters.Add('EntityQueryId', $PSBoundParameters['EntityQueryId']) + } + $EntityQuery = Az.SecurityInsights\Get-AzSentinelEntityQuery @GetPSBoundParameters + + if ($EntityQuery.Kind -eq 'Activity'){ + If($PSBoundParameters['Title']){ + $EntityQuery.Title = $PSBoundParameters['Title'] + $null = $PSBoundParameters.Remove('Title') + } + + If($PSBoundParameters['Content']){ + $EntityQuery.Content = $PSBoundParameters['Content'] + $null = $PSBoundParameters.Remove('Content') + } + + If($PSBoundParameters['Description']){ + $EntityQuery.Description = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['QueryDefinitionQuery']){ + $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery'] + $null = $PSBoundParameters.Remove('QueryDefinitionQuery') + } + + If($PSBoundParameters['InputEntityType']){ + $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType'] + $null = $PSBoundParameters.Remove('InputEntityType') + } + + If($PSBoundParameters['RequiredInputFieldsSet']){ + $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet'] + $null = $PSBoundParameters.Remove('RequiredInputFieldsSet') + } + + If($PSBoundParameters['EntitiesFilter']){ + $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter'] + $null = $PSBoundParameters.Remove('EntitiesFilter') + } + + If($PSBoundParameters['TemplateName']){ + $EntityQuery.TemplateName = $PSBoundParameters['TemplateName'] + $null = $PSBoundParameters.Remove('TemplateName') + } + + If($PSBoundParameters['Enabled']){ + $EntityQuery.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + + If($PSBoundParameters['Disabled']){ + $EntityQuery.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') + } + } + else { + Write-Error "This cmdlet only works with Entity Queries of the Activity kind." + break + } + + $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery) + + Az.SecurityInsights.internal\Update-AzSentinelEntityQuery @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 new file mode 100644 index 000000000000..ce94d00a7d27 --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 @@ -0,0 +1,246 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates setting. +.Description +Updates setting. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelsetting +#> +function Update-AzSentinelSetting { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings])] + [CmdletBinding(DefaultParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateExpandedUeba')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.SettingKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # The setting Name + ${SettingsName}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + #Anomalies + #.EyesOn + #.EntityAnalytics + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Disabled}, + + #.Ueba + [Parameter(ParameterSetName = 'UpdateExpandedUeba')] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[]] + ${DataSource}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Handle Get + $GetPSBoundParameters = @{} + if($PSBoundParameters['InputObject']){ + $GetPSBoundParameters.Add('ResourceGroupName', ($PSBoundParameters['InputObject']).Id.Split('/')[4]) + $GetPSBoundParameters.Add('WorkspaceName', ($PSBoundParameters['InputObject']).Id.Split('/')[8]) + $Name = ($PSBoundParameters['InputObject']).Name + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $Name = $PSBoundParameters['SettingsName'] + } + if($Name -eq 'Ueba'){ + $GetPSBoundParameters.Add('SettingsName', 'Ueba') + $ueba = Az.SecurityInsights\Get-AzSentinelSetting @GetPSBoundParameters + } + else{ + $Settings = Az.SecurityInsights\Get-AzSentinelSetting @GetPSBoundParameters + } + + + if ($Name -eq 'Anomalies'){ + If($PSBoundParameters['Enabled']){ + if($Settings.Name -contains 'Anomalies'){ + Write-Host "$Name is already Enabled!" -ForegroundColor Green + } + else{ + Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name + } + } + + If($PSBoundParameters['Disabled']){ + if($Settings.Name -contains 'Anomalies'){ + Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name + } + else{ + Write-Host "$Name is already Disabled!" -ForegroundColor Green + } + } + } + if ($Name -eq 'EyesOn'){ + If($PSBoundParameters['Enabled']){ + if($Settings.Name -contains 'EyesOn'){ + Write-Host "$Name is already Enabled!" -ForegroundColor Green + } + else{ + Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name + } + } + + If($PSBoundParameters['Disabled']){ + if($Settings.Name -contains 'EyesOn'){ + Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name + } + else{ + Write-Host "$Name is already Disabled!" -ForegroundColor Green + } + } + } + if ($Name -eq 'EntityAnalytics'){ + If($PSBoundParameters['Enabled']){ + if($Settings.Name -contains 'EntityAnalytics'){ + Write-Host "$Name is already Enabled!" -ForegroundColor Green + } + else{ + Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name + } + } + + If($PSBoundParameters['Disabled']){ + if($Settings.Name -contains 'EntityAnalytics'){ + Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name + } + else{ + Write-Host "$Name is already Disabled!" -ForegroundColor Green + } + } + } + + if ($Name -eq 'Ueba'){ + If($PSBoundParameters['DataSource']){ + $ueba.DataSource = $PSBoundParameters['DataSource'] + $null = $PSBoundParameters.Remove('DataSource') + } + $null = $PSBoundParameters.Add('Setting', $Setting) + Az.SecurityInsights.internal\Update-AzSentinelSetting @PSBoundParameters + } + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/docs/Az.SecurityInsights.md b/src/SecurityInsights/docs/Az.SecurityInsights.md new file mode 100644 index 000000000000..6da288f0a70f --- /dev/null +++ b/src/SecurityInsights/docs/Az.SecurityInsights.md @@ -0,0 +1,202 @@ +--- +Module Name: Az.SecurityInsights +Module Guid: 3a0e09d6-7b89-4078-a565-5db26e7455b8 +Download Help Link: https://docs.microsoft.com/powershell/module/az.securityinsights +Help Version: 1.0.0.0 +Locale: en-US +--- + +# Az.SecurityInsights Module +## Description +Microsoft Azure PowerShell: SecurityInsights cmdlets + +## Az.SecurityInsights Cmdlets +### [Get-AzSentinelAlertRule](Get-AzSentinelAlertRule.md) +Gets the alert rule. + +### [Get-AzSentinelAlertRuleAction](Get-AzSentinelAlertRuleAction.md) +Gets the action of alert rule. + +### [Get-AzSentinelAlertRuleTemplate](Get-AzSentinelAlertRuleTemplate.md) +Gets the alert rule template. + +### [Get-AzSentinelAutomationRule](Get-AzSentinelAutomationRule.md) +Gets the automation rule. + +### [Get-AzSentinelBookmark](Get-AzSentinelBookmark.md) +Gets a bookmark. + +### [Get-AzSentinelBookmarkRelation](Get-AzSentinelBookmarkRelation.md) +Gets a bookmark relation. + +### [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md) +Gets a data connector. + +### [Get-AzSentinelEnrichment](Get-AzSentinelEnrichment.md) +Get geodata for a single IP address + +### [Get-AzSentinelEntity](Get-AzSentinelEntity.md) +Gets an entity. + +### [Get-AzSentinelEntityActivity](Get-AzSentinelEntityActivity.md) +Get Insights and Activities for an entity. + +### [Get-AzSentinelEntityInsight](Get-AzSentinelEntityInsight.md) +Execute Insights for an entity. + +### [Get-AzSentinelEntityQuery](Get-AzSentinelEntityQuery.md) +Gets an entity query. + +### [Get-AzSentinelEntityQueryTemplate](Get-AzSentinelEntityQueryTemplate.md) +Gets an entity query. + +### [Get-AzSentinelEntityRelation](Get-AzSentinelEntityRelation.md) +Gets an entity relation. + +### [Get-AzSentinelEntityTimeline](Get-AzSentinelEntityTimeline.md) +Timeline for an entity. + +### [Get-AzSentinelIncident](Get-AzSentinelIncident.md) +Gets an incident. + +### [Get-AzSentinelIncidentAlert](Get-AzSentinelIncidentAlert.md) +Gets all incident alerts. + +### [Get-AzSentinelIncidentBookmark](Get-AzSentinelIncidentBookmark.md) +Gets all incident bookmarks. + +### [Get-AzSentinelIncidentComment](Get-AzSentinelIncidentComment.md) +Gets an incident comment. + +### [Get-AzSentinelIncidentEntity](Get-AzSentinelIncidentEntity.md) +Gets all incident related entities. + +### [Get-AzSentinelIncidentRelation](Get-AzSentinelIncidentRelation.md) +Gets an incident relation. + +### [Get-AzSentinelMetadata](Get-AzSentinelMetadata.md) +Get a Metadata. + +### [Get-AzSentinelOnboardingState](Get-AzSentinelOnboardingState.md) +Get Sentinel onboarding state + +### [Get-AzSentinelSetting](Get-AzSentinelSetting.md) +Gets a setting. + +### [Get-AzSentinelSourceControlRepository](Get-AzSentinelSourceControlRepository.md) +Gets a list of repositories metadata. + +### [Get-AzSentinelThreatIntelligenceIndicator](Get-AzSentinelThreatIntelligenceIndicator.md) +View a threat intelligence indicator by name. + +### [Get-AzSentinelThreatIntelligenceIndicatorMetric](Get-AzSentinelThreatIntelligenceIndicatorMetric.md) +Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + +### [Invoke-AzSentinelThreatIntelligenceIndicatorQuery](Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md) +Query threat intelligence indicators as per filtering criteria. + +### [New-AzSentinelAlertRule](New-AzSentinelAlertRule.md) +Creates or updates the alert rule. + +### [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md) +Creates or updates the action of alert rule. + +### [New-AzSentinelAutomationRule](New-AzSentinelAutomationRule.md) +Creates or updates the automation rule. + +### [New-AzSentinelBookmark](New-AzSentinelBookmark.md) +Creates or updates the bookmark. + +### [New-AzSentinelBookmarkRelation](New-AzSentinelBookmarkRelation.md) +Creates the bookmark relation. + +### [New-AzSentinelDataConnector](New-AzSentinelDataConnector.md) +Creates or updates the data connector. + +### [New-AzSentinelEntityQuery](New-AzSentinelEntityQuery.md) +Creates or updates the entity query. + +### [New-AzSentinelIncident](New-AzSentinelIncident.md) +Creates or updates the incident. + +### [New-AzSentinelIncidentComment](New-AzSentinelIncidentComment.md) +Creates or updates the incident comment. + +### [New-AzSentinelIncidentRelation](New-AzSentinelIncidentRelation.md) +Creates or updates the incident relation. + +### [New-AzSentinelIncidentTeam](New-AzSentinelIncidentTeam.md) +Creates a Microsoft team to investigate the incident by sharing information and insights between participants. + +### [New-AzSentinelOnboardingState](New-AzSentinelOnboardingState.md) +Create Sentinel onboarding state + +### [Remove-AzSentinelAlertRule](Remove-AzSentinelAlertRule.md) +Delete the alert rule. + +### [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md) +Delete the action of alert rule. + +### [Remove-AzSentinelAutomationRule](Remove-AzSentinelAutomationRule.md) +Delete the automation rule. + +### [Remove-AzSentinelBookmark](Remove-AzSentinelBookmark.md) +Delete the bookmark. + +### [Remove-AzSentinelBookmarkRelation](Remove-AzSentinelBookmarkRelation.md) +Delete the bookmark relation. + +### [Remove-AzSentinelDataConnector](Remove-AzSentinelDataConnector.md) +Delete the data connector. + +### [Remove-AzSentinelEntityQuery](Remove-AzSentinelEntityQuery.md) +Delete the entity query. + +### [Remove-AzSentinelIncident](Remove-AzSentinelIncident.md) +Delete the incident. + +### [Remove-AzSentinelIncidentComment](Remove-AzSentinelIncidentComment.md) +Delete the incident comment. + +### [Remove-AzSentinelIncidentRelation](Remove-AzSentinelIncidentRelation.md) +Delete the incident relation. + +### [Remove-AzSentinelOnboardingState](Remove-AzSentinelOnboardingState.md) +Delete Sentinel onboarding state + +### [Test-AzSentinelDataConnectorCheckRequirement](Test-AzSentinelDataConnectorCheckRequirement.md) +Get requirements state for a data connector type. + +### [Update-AzSentinelAlertRule](Update-AzSentinelAlertRule.md) +Updates the alert rule. + +### [Update-AzSentinelAlertRuleAction](Update-AzSentinelAlertRuleAction.md) +Creates or updates the action of alert rule. + +### [Update-AzSentinelAutomationRule](Update-AzSentinelAutomationRule.md) +Creates or updates the automation rule. + +### [Update-AzSentinelBookmark](Update-AzSentinelBookmark.md) +Creates or updates the bookmark. + +### [Update-AzSentinelBookmarkRelation](Update-AzSentinelBookmarkRelation.md) +Creates the bookmark relation. + +### [Update-AzSentinelDataConnector](Update-AzSentinelDataConnector.md) +Updates the data connector. + +### [Update-AzSentinelEntityQuery](Update-AzSentinelEntityQuery.md) +Updates the entity query. + +### [Update-AzSentinelIncident](Update-AzSentinelIncident.md) +Creates or updates the incident. + +### [Update-AzSentinelIncidentComment](Update-AzSentinelIncidentComment.md) +Creates or updates the incident comment. + +### [Update-AzSentinelIncidentRelation](Update-AzSentinelIncidentRelation.md) +Creates or updates the incident relation. + +### [Update-AzSentinelSetting](Update-AzSentinelSetting.md) +Updates setting. + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md new file mode 100644 index 000000000000..5e852e4a7111 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md @@ -0,0 +1,229 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertrule +schema: 2.0.0 +--- + +# Get-AzSentinelAlertRule + +## SYNOPSIS +Gets the alert rule. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAlertRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAlertRule -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the alert rule. + +## EXAMPLES + +### Example 1: List all Alert Rules +```powershell +PS C:\> Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alert Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule +```powershell +PS C:\> Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "d6c7a42b-c0da-41ef-9629-b3d2d407b181" + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule. + +### Example 3: Get an Alert Rule by object Id +```powershell +PS C:\> $rules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $rules[0] | Get-AzSentinelAlertRule + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..cb04cc8c4238 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md @@ -0,0 +1,207 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertruleaction +schema: 2.0.0 +--- + +# Get-AzSentinelAlertRuleAction + +## SYNOPSIS +Gets the action of alert rule. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAlertRuleAction -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the action of alert rule. + +## EXAMPLES + +### Example 1: List all Actions for a given Alert Rule +```powershell +PS C:\> Get-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "myRuleId" + +LogicAppResourceId : /subscriptions/174b1a81-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/A-Demo-1 +Name : f32239c5-cb9c-48da-a3f6-bd5bd3d924a4 +WorkflowId : 3c73d72560fa4cb6a72a0f10d3a80940 + +LogicAppResourceId : /subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/EmptyPlaybook +Name : cf815c77-bc65-4c02-946f-d81e15e9a100 +WorkflowId : 1ac8ccb8bd134253b4baf0c75fe3ecc6 +``` + +This command lists all Actions for a given Alert Rule. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: ActionId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md new file mode 100644 index 000000000000..f28d64f505fa --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md @@ -0,0 +1,217 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertruletemplate +schema: 2.0.0 +--- + +# Get-AzSentinelAlertRuleTemplate + +## SYNOPSIS +Gets the alert rule template. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAlertRuleTemplate -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAlertRuleTemplate -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAlertRuleTemplate -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the alert rule template. + +## EXAMPLES + +### Example 1: List all Alert Rule Templates +```powershell +PS C:\> Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 + +DisplayName : Accessed files shared by temporary external user +Description : This detection identifies an external user is added to a Team or Teams chat + and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + an indicator of suspicious activity. +CreatedDateUtc : 8/18/2020 12:00:00 AM +LastUpdatedDateUtc : 1/3/2022 12:00:00 AM +Kind : Scheduled +Severity : Low +Name : bff058b2-500e-4ae5-bb49-a5b1423cbd5b +``` + +This command lists all Alert Rule Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule Template +```powershell +PS C:\> Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myRuaac495a9-feb1-446d-b08e-a1164a539452leTemplateId" + +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 +``` + +This command gets an Alert Rule Template. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Alert rule template ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: AlertRuleTemplateId, TemplateId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRuleTemplate + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..3ccb4c762e4b --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md @@ -0,0 +1,208 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelautomationrule +schema: 2.0.0 +--- + +# Get-AzSentinelAutomationRule + +## SYNOPSIS +Gets the automation rule. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAutomationRule -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the automation rule. + +## EXAMPLES + +### Example 1: List all Automation Rules +```powershell +PS C:\> Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 + +``` + +This command lists all Automation Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Automation Rule +```powershell +PS C:\> Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "2f32af32-ad13-4fbb-9fbc-e19e0e7ff767" + +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 +``` + +This command gets an Automation Rule. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: AutomationRuleId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md new file mode 100644 index 000000000000..0ef5d7f52295 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md @@ -0,0 +1,206 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelbookmark +schema: 2.0.0 +--- + +# Get-AzSentinelBookmark + +## SYNOPSIS +Gets a bookmark. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelBookmark -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a bookmark. + +## EXAMPLES + +### Example 1: List all Bookmarks +```powershell +PS C:\> Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 + +``` + +This command lists all Bookmarks under a Microsoft Sentinel workspace. + +### Example 2: Get a Bookmark +```powershell +PS C:\> Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "515fc035-2ed8-4fa1-ad7d-28b401e1e0c9" + +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 +``` + +This command gets a Bookmark. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: BookmarkId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..42e430ecf896 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md @@ -0,0 +1,292 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# Get-AzSentinelBookmarkRelation + +## SYNOPSIS +Gets a bookmark relation. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelBookmarkRelation -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a bookmark relation. + +## EXAMPLES + +### Example 1: List all Bookmark Relations for a given Bookmark +```powershell +PS C:\> Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" + +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command lists all Bookmark Relations for a given Bookmark. + +### Example 2: Get a Bookmark Relation +```powershell +PS C:\> Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" + +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark Relation. + +### Example 3: Get a Bookmark Relation by object Id +```powershell +PS C:\> $Bookmarkrelations = Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" +PS C:\> $Bookmarkrelations[0] | Get-AzSentinelBookmarkRelation + +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark by object + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md new file mode 100644 index 000000000000..abb6a94f84e1 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md @@ -0,0 +1,205 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentineldataconnector +schema: 2.0.0 +--- + +# Get-AzSentinelDataConnector + +## SYNOPSIS +Gets a data connector. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelDataConnector -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a data connector. + +## EXAMPLES + +### Example 1: List all Data Connectors +```powershell +PS C:\> Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Kind : AzureActiveDirectory +Name : 8207e1f9-a793-4869-afb1-5ad4540d66d1 + +Kind : AzureAdvancedThreatProtection +Name : 1d75aada-a558-4461-986b-c6822182e81d + +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 + +``` + +This command lists all DataConnectors under a Microsoft Sentinel workspace. + +### Example 2: Get a specific Data Connector +```powershell +PS C:\> Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.kind -eq "Office365"} + +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 +SharePointState : enabled +``` + +This command gets a specific DataConnector based on kind + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Connector ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: DataConnectorId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IDataConnector + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md new file mode 100644 index 000000000000..ccc91cac511d --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md @@ -0,0 +1,224 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelenrichment +schema: 2.0.0 +--- + +# Get-AzSentinelEnrichment + +## SYNOPSIS +Get geodata for a single IP address + +## SYNTAX + +### Get (Default) +``` +Get-AzSentinelEnrichment -ResourceGroupName -IPAddress [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get1 +``` +Get-AzSentinelEnrichment -ResourceGroupName -Domain [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEnrichment -InputObject -IPAddress + [-DefaultProfile ] [] +``` + +### GetViaIdentity1 +``` +Get-AzSentinelEnrichment -InputObject -Domain + [-DefaultProfile ] [] +``` + +## DESCRIPTION +Get geodata for a single IP address + +## EXAMPLES + +### Example 1: Get a Domain Enrichment +```powershell +PS C:\> Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com + +Created : 5/2/1991 12:00:00 AM +Domain : microsoft.com +Expire : 5/3/2022 12:00:00 AM +Server : whois.markmonitor.com +Updated : 3/12/2021 12:00:00 AM +``` + +This command gets an enrichment for a domain. + +### Example 2: Get a IP Enrichment +```powershell +PS C:\> Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" IPAddress "1.1.1.1" + +Asn : 13335 +Carrier : cloudflare +City : ringwood +CityCf : 90 +Continent : oceania +Country : australia +CountryCf : 99 +IPAddr : 1.1.1.1 +IPRoutingType : fixed +Latitude : -37.8143 +Longitude : 145.2274 +Organization : apnic and cloudflare dns resolver project +OrganizationType : Internet Hosting Services +Region : +State : victoria +StateCf : 95 +StateCode : + +``` + +This command an enrichment for an IP Address. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Domain name to be enriched + +```yaml +Type: System.String +Parameter Sets: Get1, GetViaIdentity1 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity, GetViaIdentity1 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -IPAddress +IP address (v4 or v6) to be enriched + +```yaml +Type: System.String +Parameter Sets: Get, GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, Get1 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, Get1 +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEnrichmentDomainWhois + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEnrichmentIPGeodata + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntity.md b/src/SecurityInsights/docs/Get-AzSentinelEntity.md new file mode 100644 index 000000000000..ac448c239ba1 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntity.md @@ -0,0 +1,226 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentity +schema: 2.0.0 +--- + +# Get-AzSentinelEntity + +## SYNOPSIS +Gets an entity. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntity -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntity -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntity -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity. + +## EXAMPLES + +### Example 1: List all Entities +```powershell +PS C:\> Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : 186.120.101.12 +Kind : Ip +Name : bb590b07-5ef5-bf85-1c3e-2a04e1e137d2 +``` + +This command lists all Entities under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity +```powershell +PS C:\> Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "8d036a2d-f37d-e936-6cca-4e172687cb79" + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity. + +### Example 3: Get a Entity by object Id +```powershell +PS C:\> $Entitys = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $Entitys[0] | Get-AzSentinelEntity + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity by object + +### Example 4: Get a Entity by kind +```powershell +PS C:\> Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Kind -eq "CloudApplication"} + +FriendlyName : Office 365 +Kind : CloudApplication +Name : 8fceb9c4-abe7-7174-aabf-f1dde96a945e +``` + +This command gets an Entity by kind + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: EntityId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntity + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md new file mode 100644 index 000000000000..c5a2b5d96b02 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md @@ -0,0 +1,145 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityactivity +schema: 2.0.0 +--- + +# Get-AzSentinelEntityActivity + +## SYNOPSIS +Get Insights and Activities for an entity. + +## SYNTAX + +``` +Get-AzSentinelEntityActivity -EntityId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +## DESCRIPTION +Get Insights and Activities for an entity. + +## EXAMPLES + +### Example 1: Get Insights and Activities for an Entity +```powershell +PS C:\> Get-AzSentinelEntityAcivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : HackTool:Win32/Mimikatz.gen!H +Kind : Malware +Name : 876fda24-fe06-62b7-7dca-bced167a0ca3 + +FriendlyName : 52.166.111.66 +Kind : Ip +Name : 4ebb68f3-a435-fac0-d3b6-94712d246f0a +``` + +This command gets insights and activities for an Entity. + +### Example 2: Get Insights and Activities for an Entity by Id +```powershell +PS C:\> $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "4ebb68f3-a435-fac0-d3b6-94712d246f0a" +PS C:\> $Entity | Get-AzSentinelEntityActivity + +``` + +This command gets insights and activies for an Entity by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryItem + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md new file mode 100644 index 000000000000..697fe7f36771 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md @@ -0,0 +1,242 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityinsight +schema: 2.0.0 +--- + +# Get-AzSentinelEntityInsight + +## SYNOPSIS +Execute Insights for an entity. + +## SYNTAX + +``` +Get-AzSentinelEntityInsight -EntityId -ResourceGroupName -WorkspaceName + -EndTime -StartTime [-SubscriptionId ] [-AddDefaultExtendedTimeRange] + [-InsightQueryId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Execute Insights for an entity. + +## EXAMPLES + +### Example 1: Get Insights for an Entity for a given time range +```powershell +PS C:\> $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> Get-AzSentinelEntityInsight -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime + +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity for a given time range. + +### Example 2: Get Insights for an Entity by entity Id for a given time range +```powershell +PS C:\> $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" +PS C:\> $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime + +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity by object for a given time range. + +## PARAMETERS + +### -AddDefaultExtendedTimeRange +Indicates if query time range should be extended with default time range of the query. +Default value is false + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The end timeline date, so the results returned are before this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InsightQueryId +List of Insights Query Id. +If empty, default value is all insights of this entity + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The start timeline date, so the results returned are after this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityGetInsightsResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..856715a20e58 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md @@ -0,0 +1,248 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityquery +schema: 2.0.0 +--- + +# Get-AzSentinelEntityQuery + +## SYNOPSIS +Gets an entity query. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Kind ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntityQuery -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntityQuery -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity query. + +## EXAMPLES + +### Example 1: List all Entity Queries +```powershell +PS C:\> Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert + +DisplayName : Related alerts +DataSource : {SecurityAlert} +Name : 055a5692-555f-42bd-ac17-923a5a9994ed +InputEntityType : Host +``` + +This command lists all Entity Queries under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query +```powershell +PS C:\> Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryId" + +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets an Entity Query. + +### Example 3: Get an Entity Query by object Id +```powershell +PS C:\> $EntityQueries = Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $EntityQueries[0] | Get-AzSentinelEntityQuery + +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets a Entity Query by object. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity query ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: EntityQueryId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Kind +The entity query kind we want to fetch + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQuery + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md new file mode 100644 index 000000000000..2130aabc1197 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md @@ -0,0 +1,236 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityquerytemplate +schema: 2.0.0 +--- + +# Get-AzSentinelEntityQueryTemplate + +## SYNOPSIS +Gets an entity query. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntityQueryTemplate -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Kind ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntityQueryTemplate -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntityQueryTemplate -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity query. + +## EXAMPLES + +### Example 1: List all Entity Query Templates +```powershell +PS C:\> Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Title : The user has created an account +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa + +Title : The user has deleted an account +Description : This activity displays account deletion events performed by the user +InputEntityType : Account +Kind : Activity +Name : e0459780-ac9d-4b72-8bd4-fecf6b46a0a1 +``` + +This command lists all Entity Query Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query Template +```powershell +PS C:\> Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "d6d08c94-455f-4ea5-8f76-fc6c0c442cfa" + +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets an Entity Query Template. + +### Example 3: Get an Entity Query Template by object Id +```powershell +PS C:\> $EntityQueryTemplates = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $EntityQueryTemplates[0] | Get-AzSentinelEntityQueryTemplate + +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets a Entity Query Template by object. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity query template ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: EntityQueryTemplateId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Kind +The entity template query kind we want to fetch + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md new file mode 100644 index 000000000000..87656f58e69e --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md @@ -0,0 +1,281 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityrelation +schema: 2.0.0 +--- + +# Get-AzSentinelEntityRelation + +## SYNOPSIS +Gets an entity relation. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntityRelation -EntityId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntityRelation -EntityId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntityRelation -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity relation. + +## EXAMPLES + +### Example 1: List all Entity Relations for a given Entity +```powershell +PS C:\> Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +``` + +This command lists all Entity Relations for a given Entity. + +### Example 2: Get an Entity Relation +```powershell +PS C:\> Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -Id "myEntityRelationId" +``` + +This command gets an Entity Relation for a given Entity. + +### Example 3: Get an Entity Relation by object Id +```powershell +PS C:\> $EntityRelations = Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +PS C:\> $EntityRelations[0] | Get-AzSentinelEntityRelation + +``` + +This command gets a Entity Relation by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md new file mode 100644 index 000000000000..07c87bd54a62 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md @@ -0,0 +1,227 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentitytimeline +schema: 2.0.0 +--- + +# Get-AzSentinelEntityTimeline + +## SYNOPSIS +Timeline for an entity. + +## SYNTAX + +``` +Get-AzSentinelEntityTimeline -EntityId -ResourceGroupName -WorkspaceName + -EndTime -StartTime [-SubscriptionId ] [-Kind ] + [-NumberOfBucket ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Timeline for an entity. + +## EXAMPLES + +### Example 1: Get Timeline for an Entity for a given time range +```powershell +PS C:\> $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> Get-AzSentinelEntityTime -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime + +DisplayName : Suspicious process executed +Description : Machine logs indicate that a suspicious process often associated with attacker attempts to access credentials was running on the host. +Kind : SecurityAlert +ProductName : Azure Security Center +Severity : High +StartTimeUtc : 12/20/2021 3:04:17 PM +EndTimeUtc : 12/20/2021 3:04:17 PM +TimeGenerated : 12/20/2021 3:05:52 PM +``` + +This command gets the Timeline for an Entity for a given time range. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The end timeline date, so the results returned are before this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Array of timeline Item kinds. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityTimelineKind[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NumberOfBucket +The number of bucket for timeline queries aggregation. + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The start timeline date, so the results returned are after this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityTimelineResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncident.md b/src/SecurityInsights/docs/Get-AzSentinelIncident.md new file mode 100644 index 000000000000..2406c1979002 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncident.md @@ -0,0 +1,273 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincident +schema: 2.0.0 +--- + +# Get-AzSentinelIncident + +## SYNOPSIS +Gets an incident. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelIncident -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] [-DefaultProfile ] + [] +``` + +### Get +``` +Get-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelIncident -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an incident. + +## EXAMPLES + +### Example 1: List all Incidents +```powershell +PS C:\> Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command lists all Incidents under a Microsoft Sentinel workspace. + +### Example 2: Get an Incident +```powershell +PS C:\> Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "f5409f55-7dd8-4c73-9981-4627520b2db" + +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command gets an Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: IncidentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md new file mode 100644 index 000000000000..acecdaffd0e4 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md @@ -0,0 +1,165 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentalert +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentAlert + +## SYNOPSIS +Gets all incident alerts. + +## SYNTAX + +``` +Get-AzSentinelIncidentAlert -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets all incident alerts. + +## EXAMPLES + +### Example 1: List all Alerts for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentAlert -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alerts for a given Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISecurityAlert + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md new file mode 100644 index 000000000000..1101e83ce050 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md @@ -0,0 +1,164 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentbookmark +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentBookmark + +## SYNOPSIS +Gets all incident bookmarks. + +## SYNTAX + +``` +Get-AzSentinelIncidentBookmark -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets all incident bookmarks. + +## EXAMPLES + +### Example 1: List all Bookmarks for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7f40bbbc-e205-404b-bc2b-5d71cd1017a8" + +DisplayName : My 2021 Bookmark +FriendlyName : My 2021 Bookmark +Label : {my Tags} +Note : my notes + 2nd line notes +CreatedByEmail : luke@contoso.com +CreatedByName : Luke +Name : 4557d832-41f0-456f-977e-78a2e129b8d0 +``` + +This command lists all Bookmarks for a given Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IHuntingBookmark + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..e1dc559e1647 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md @@ -0,0 +1,287 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentcomment +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentComment + +## SYNOPSIS +Gets an incident comment. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelIncidentComment -Id -IncidentId -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelIncidentComment -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an incident comment. + +## EXAMPLES + +### Example 1: List all Incident Comments for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" + +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 + +``` + +This command lists all Incident Comments for a given Incident. + +### Example 2: Get an Incident Comment +```powershell +PS C:\> Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" -Id "da0957c9-2f1a-44a2-bc83-a2c0696b2bf1" + +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 +``` + +This command gets an Incident Comment. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: IncidentCommentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md new file mode 100644 index 000000000000..0ac4a997e2a3 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md @@ -0,0 +1,159 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidententity +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentEntity + +## SYNOPSIS +Gets all incident related entities. + +## SYNTAX + +``` +Get-AzSentinelIncidentEntity -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets all incident related entities. + +## EXAMPLES + +### Example 1: List all Entities for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "0ddb580f-efd0-4076-bb77-77e9aef8a187" + +FriendlyName : win2019 +Kind : Host +Name : cb577adf-0266-8873-84d7-accf4b45417b +``` + +This command lists all Entities for a given Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentEntitiesResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..f344cc3df630 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md @@ -0,0 +1,300 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentrelation +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentRelation + +## SYNOPSIS +Gets an incident relation. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelIncidentRelation -IncidentId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelIncidentRelation -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an incident relation. + +## EXAMPLES + +### Example 1: List all Incident Relations for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" + +Name : 8969f5ea-4e92-433a-9b67-2f9233d8113f_457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceName : 457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command lists all Incident Relations for a given Incident. + +### Example 2: Get a Incident Relation +```powershell +PS C:\> Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id "myIncidentRelationId" + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident Relation. + +### Example 3: Get a Incident Relation by object Id +```powershell +PS C:\> $Incidentrelations = Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" +PS C:\> $Incidentrelations[0] | Get-AzSentinelIncidentRelation + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md new file mode 100644 index 000000000000..d7fc1bb1ffc5 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md @@ -0,0 +1,260 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelmetadata +schema: 2.0.0 +--- + +# Get-AzSentinelMetadata + +## SYNOPSIS +Get a Metadata. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelMetadata -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Filter ] [-Orderby ] [-Skip ] [-Top ] [-DefaultProfile ] + [] +``` + +### Get +``` +Get-AzSentinelMetadata -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelMetadata -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Get a Metadata. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Metadata name. + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: MetadataName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Skip +Used to skip n elements in the OData query (offset). +Returns a nextLink to the next page of results if there are any left. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IMetadataModel + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..81064548b2b7 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md @@ -0,0 +1,198 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelonboardingstate +schema: 2.0.0 +--- + +# Get-AzSentinelOnboardingState + +## SYNOPSIS +Get Sentinel onboarding state + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelOnboardingState -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelOnboardingState -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Get Sentinel onboarding state + +## EXAMPLES + +### Example 1: List all Onboarding States +```powershell +PS C:\> Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command lists all Onboarding States under a Microsoft Sentinel workspace. + +### Example 2: Get an Onboarding State +```powershell +PS C:\> Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "default" + +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command gets an Onboarding State. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelSetting.md b/src/SecurityInsights/docs/Get-AzSentinelSetting.md new file mode 100644 index 000000000000..0d733c884d17 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelSetting.md @@ -0,0 +1,227 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelsetting +schema: 2.0.0 +--- + +# Get-AzSentinelSetting + +## SYNOPSIS +Gets a setting. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelSetting -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelSetting -ResourceGroupName -SettingsName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelSetting -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a setting. + +## EXAMPLES + +### Example 1: List all Settings +```powershell +PS C:\> Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Kind : EntityAnalytics +Name : EntityAnalytics +IsEnabled : True + +Kind : EyesOn +Name : EyesOn +IsEnabled : True + +Kind : IPSyncer +Name : IPSyncer + +Kind : Anomalies +Name : Anomalies +IsEnabled : True + +Kind : Ueba +Name : Ueba +DataSource : {AuditLogs, AzureActivity, SecurityEvent, SigninLogs} +``` + +This command lists all Settings under a Microsoft Sentinel workspace. + +### Example 2: Get a Setting +```powershell +PS C:\> Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName "Anomalies" + +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting. + +### Example 3: Get a Setting by object Id +```powershell +PS C:\> $Settings = Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $Settings[0] | Get-AzSentinelSetting + +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SettingsName +The setting name. +Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISettings + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelSourceControlRepository.md b/src/SecurityInsights/docs/Get-AzSentinelSourceControlRepository.md new file mode 100644 index 000000000000..56e31df8ff58 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelSourceControlRepository.md @@ -0,0 +1,168 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelsourcecontrolrepository +schema: 2.0.0 +--- + +# Get-AzSentinelSourceControlRepository + +## SYNOPSIS +Gets a list of repositories metadata. + +## SYNTAX + +``` +Get-AzSentinelSourceControlRepository -ResourceGroupName -WorkspaceName -RepoType + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets a list of repositories metadata. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RepoType +The type of repository. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.RepoType +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.RepoType + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRepo + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md new file mode 100644 index 000000000000..a0d4b7500e5c --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md @@ -0,0 +1,282 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelthreatintelligenceindicator +schema: 2.0.0 +--- + +# Get-AzSentinelThreatIntelligenceIndicator + +## SYNOPSIS +View a threat intelligence indicator by name. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelThreatIntelligenceIndicator -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelThreatIntelligenceIndicator -InputObject + [-DefaultProfile ] [] +``` + +## DESCRIPTION +View a threat intelligence indicator by name. + +## EXAMPLES + +### Example 1: List all Threat Intelligence Indicators +```powershell +PS C:\> Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d +``` + +This command lists all Threat Intelligence Indicators under a Microsoft Sentinel workspace. + +### Example 2: Get a Threat Intelligence Indicator +```powershell +PS C:\> Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "514840ce-5582-f7a4-8562-7996e29dc07a" + +Kind : indicator +Name : 514840ce-5582-f7a4-8562-7996e29dc07a +``` + +This command gets a Threat Intelligence Indicator by name (Id) + +### Example 3: Get the Threat Intelligence Indicator top 3 +```powershell +PS C:\> $tiIndicators = Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Top 3 + +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d + +Kind : indicator +Name : 38ac867b-85f9-be4c-afd5-b3cffdcf69f1 +``` + +This command gets a Threat Intelligence Indicator by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +Threat intelligence indicator name field. + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceInformation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md new file mode 100644 index 000000000000..c719397521f1 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md @@ -0,0 +1,114 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelthreatintelligenceindicatormetric +schema: 2.0.0 +--- + +# Get-AzSentinelThreatIntelligenceIndicatorMetric + +## SYNOPSIS +Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + +## SYNTAX + +``` +Get-AzSentinelThreatIntelligenceIndicatorMetric -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +## DESCRIPTION +Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + +## EXAMPLES + +### Example 1: Get all metrics for Threat Intelligence Indicators +```powershell +PS C:\> Get-AzSentinelThreatIntelligenceIndicatorMetric -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +LastUpdatedTimeUtc : 2022-02-07T10:44:45.3919348Z +PatternTypeMetric : {network-traffic, url, ipv4-addr, file} +SourceMetric : {Microsoft Emerging Threat Feed, Bing Safety Phishing URL, Azure Sentinel, CyberCrime…} +ThreatTypeMetric : {botnet, maliciousurl, phishing, malicious-activity…} +``` + +This command gets Threat Intelligence Indicator metrics. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceMetrics + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md new file mode 100644 index 000000000000..353a5533b8c7 --- /dev/null +++ b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -0,0 +1,360 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/invoke-azsentinelthreatintelligenceindicatorquery +schema: 2.0.0 +--- + +# Invoke-AzSentinelThreatIntelligenceIndicatorQuery + +## SYNOPSIS +Query threat intelligence indicators as per filtering criteria. + +## SYNTAX + +``` +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Id ] [-IncludeDisabled] [-Keyword ] [-MaxConfidence ] + [-MaxValidUntil ] [-MinConfidence ] [-MinValidUntil ] [-PageSize ] + [-PatternType ] [-SkipToken ] [-SortBy ] + [-Source ] [-ThreatType ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Query threat intelligence indicators as per filtering criteria. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Ids of threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncludeDisabled +Parameter to include/exclude disabled indicators. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Keyword +Keywords for searching threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxConfidence +Maximum confidence. + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxValidUntil +End time for ValidUntil filter. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MinConfidence +Minimum confidence. + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MinValidUntil +Start time for ValidUntil filter. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PageSize +Page size + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PatternType +Pattern types + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skip token. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SortBy +Columns to sort by and sorting order +To construct, see NOTES section for SORTBY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceSortingCriteria[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Source +Sources of threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ThreatType +Threat types of threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceInformation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +SORTBY : Columns to sort by and sorting order + - `[ItemKey ]`: Column name + - `[SortOrder ]`: Sorting order (ascending/descending/unsorted). + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md new file mode 100644 index 000000000000..37512cfd880f --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md @@ -0,0 +1,781 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertrule +schema: 2.0.0 +--- + +# New-AzSentinelAlertRule + +## SYNOPSIS +Creates or updates the alert rule. + +## SYNTAX + +### FusionMLTI (Default) +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -AlertRuleTemplate + -Kind [-RuleId ] [-SubscriptionId ] [-Enabled] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftSecurityIncidentCreation +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -Kind + -ProductFilter [-RuleId ] [-SubscriptionId ] + [-AlertRuleTemplateName ] [-Description ] [-DisplayNamesExcludeFilter ] + [-DisplayNamesFilter ] [-Enabled] [-SeveritiesFilter ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### NRT +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -DisplayName + -Kind -Query -Severity [-RuleId ] [-SubscriptionId ] + [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] + [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] + [-Description ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-ReOpenClosedIncident] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### Scheduled +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -DisplayName + -Kind -Query -QueryFrequency -QueryPeriod + -Severity -TriggerOperator -TriggerThreshold [-RuleId ] + [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] + [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] + [-CreateIncident] [-Description ] [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-ReOpenClosedIncident] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the alert rule. + +## EXAMPLES + +### Example 1: Create the Fusion Alert rule +```powershell +PS C:\> $AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName + +``` + +This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection" + +### Example 2: Create the ML Behavior Analytics Alert Rule +```powershell +PS C:\> $AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName + +``` + +This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" + +### Example 2: Create the Threat Intelligence Alert Rule +```powershell +PS C:\> $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName + +``` + +This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" + +### Example 3: Create a Microsoft Security Incident Creation Alert Rule +```powershell +PS C:\> $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" + + +``` + +This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. + +### Example 4: Create a Scheduled Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 + +``` + +This command creates an Alert Rule of the Scheduled kind. +Please note that that query (parameter -Query) needs to be on a single line as as string. + +### Example 5: Create a Near Realtime Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" + +``` + +This command creates an Alert Rule of the NRT kind. +Please note that that query (parameter -Query) needs to be on a single line as as string. + +## PARAMETERS + +### -AlertDescriptionFormat + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertDisplayNameFormat + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertRuleTemplate + + +```yaml +Type: System.String +Parameter Sets: FusionMLTI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertRuleTemplateName + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation, NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertSeverityColumnName + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertTacticsColumnName + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreateIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation, NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesExcludeFilter + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesFilter + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityMapping +'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +To construct, see NOTES section for ENTITYMAPPING properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventGroupingSettingAggregationKind + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind +Parameter Sets: Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByAlertDetail + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByCustomDetail + + +```yaml +Type: System.String[] +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByEntity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupingConfigurationEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the data connection + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LookbackDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MatchingMethod + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: "AllEntities" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProductFilter + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryFrequency + + +```yaml +Type: System.TimeSpan +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryPeriod + + +```yaml +Type: System.TimeSpan +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReOpenClosedIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +[Alias('RuleId')] + The Id of the Rule. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SeveritiesFilter +High, Medium, Low, Informational + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[] +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity +Parameter Sets: NRT, Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tactic +[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] +InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerOperator + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerThreshold + + +```yaml +Type: System.Int32 +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + - `[EntityType ]`: The V3 type of the mapped entity + - `[FieldMapping ]`: array of field mappings for the given entity mapping + - `[ColumnName ]`: the column name to be mapped to the identifier + - `[Identifier ]`: the V3 identifier of the entity + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..c06aab0ee21f --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md @@ -0,0 +1,189 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertruleaction +schema: 2.0.0 +--- + +# New-AzSentinelAlertRuleAction + +## SYNOPSIS +Creates or updates the action of alert rule. + +## SYNTAX + +``` +New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the action of alert rule. + +## EXAMPLES + +### Example 1: Add a Logic App Playbook as an action to an existing analytics rule +```powershell +PS C:\> $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +New-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) + +``` + +This command adds an existing Logic App Playbook to an existing analytics rule + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LogicAppResourceId +Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerUri +Logic App Callback URL for this specific workflow. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..9c31ed645872 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md @@ -0,0 +1,314 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelautomationrule +schema: 2.0.0 +--- + +# New-AzSentinelAutomationRule + +## SYNOPSIS +Creates or updates the automation rule. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Action ] [-DisplayName ] [-Order ] + [-TriggeringLogicCondition ] [-TriggeringLogicExpirationTimeUtc ] + [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName + -AutomationRule [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the automation rule. + +## EXAMPLES + +### Example 1: Create an Automation Rule using Run Playbook +```powershell +PS C:\> $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" +PS C:\> $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() +PS C:\> $automationRuleAction.Order = 1 +PS C:\> $automationRuleAction.ActionType = "RunPlaybook" +PS C:\> $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) +PS C:\> $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id +PS C:\> New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled + +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of Run Playbook. + +### Example 2: {{ Add title here }} +```powershell +PS C:\> $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() +PS C:\> $automationRuleAction.Order = 1 +PS C:\> $automationRuleAction.ActionType = "ModifyProperties" +PS C:\> $automationRuleAction.ActionConfigurationSeverity = "Low" +PS C:\> New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Change severity to Low" -Order 3 -TriggeringLogicIsEnabled + +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of changing the severity. + +## PARAMETERS + +### -Action +The actions to execute when the automation rule is triggered +To construct, see NOTES section for ACTION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleAction[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AutomationRule +Represents an automation rule. +To construct, see NOTES section for AUTOMATIONRULE properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the automation rule + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Order +The order of execution of the automation rule + +```yaml +Type: System.Int32 +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicCondition +The conditions to evaluate to determine if the automation rule should be triggered on a given object + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleCondition[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicExpirationTimeUtc +Determines when the automation rule should automatically expire and be disabled. + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicIsEnabled +Determines whether the automation rule is enabled or disabled. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +ACTION : The actions to execute when the automation rule is triggered + - `ActionType `: The type of the automation rule action + - `Order `: The order of execution of the automation rule action + +AUTOMATIONRULE : Represents an automation rule. + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[Action ]`: The actions to execute when the automation rule is triggered + - `ActionType `: The type of the automation rule action + - `Order `: The order of execution of the automation rule action + - `[CreatedByEmail ]`: The email of the client. + - `[CreatedByName ]`: The name of the client. + - `[CreatedByObjectId ]`: The object id of the client. + - `[CreatedByUserPrincipalName ]`: The user principal name of the client. + - `[DisplayName ]`: The display name of the automation rule + - `[LastModifiedByEmail ]`: The email of the client. + - `[LastModifiedByName ]`: The name of the client. + - `[LastModifiedByObjectId ]`: The object id of the client. + - `[LastModifiedByUserPrincipalName ]`: The user principal name of the client. + - `[Order ]`: The order of execution of the automation rule + - `[TriggeringLogicCondition ]`: The conditions to evaluate to determine if the automation rule should be triggered on a given object + - `[TriggeringLogicExpirationTimeUtc ]`: Determines when the automation rule should automatically expire and be disabled. + - `[TriggeringLogicIsEnabled ]`: Determines whether the automation rule is enabled or disabled. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/docs/New-AzSentinelBookmark.md new file mode 100644 index 000000000000..4f742357116b --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelBookmark.md @@ -0,0 +1,386 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelbookmark +schema: 2.0.0 +--- + +# New-AzSentinelBookmark + +## SYNOPSIS +Creates or updates the bookmark. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] + [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] + [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] + [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -Bookmark + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the bookmark. + +## EXAMPLES + +### Example 1: Create a Bookmark +```powershell +PS C:\> $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> New-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime + +DisplayName : Incident Evidence +CreatedByName : John Contoso +CreatedByEmail : john@contoso.com +Name : 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 +Note : my notes +``` + +This command creates a Bookmark. + +## PARAMETERS + +### -Bookmark +Represents a bookmark in Azure Security Insights. +To construct, see NOTES section for BOOKMARK properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the bookmark + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventTime +The bookmark event time + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoIncidentId +Incident Id + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoRelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoSeverity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoTitle +The title of the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this bookmark + +```yaml +Type: System.String[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Note +The notes of the bookmark + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query +The query of the bookmark. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryEndTime +The end time for the query + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryResult +The query result of the bookmark. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryStartTime +The start time for the query + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +BOOKMARK : Represents a bookmark in Azure Security Insights. + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[Created ]`: The time the bookmark was created + - `[CreatedByObjectId ]`: The object id of the user. + - `[DisplayName ]`: The display name of the bookmark + - `[EventTime ]`: The bookmark event time + - `[IncidentInfoIncidentId ]`: Incident Id + - `[IncidentInfoRelationName ]`: Relation Name + - `[IncidentInfoSeverity ]`: The severity of the incident + - `[IncidentInfoTitle ]`: The title of the incident + - `[Label ]`: List of labels relevant to this bookmark + - `[Note ]`: The notes of the bookmark + - `[Query ]`: The query of the bookmark. + - `[QueryEndTime ]`: The end time for the query + - `[QueryResult ]`: The query result of the bookmark. + - `[QueryStartTime ]`: The start time for the query + - `[Updated ]`: The last time the bookmark was updated + - `[UpdatedByObjectId ]`: The object id of the user. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..2c396c3aa7cb --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md @@ -0,0 +1,213 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# New-AzSentinelBookmarkRelation + +## SYNOPSIS +Creates the bookmark relation. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates the bookmark relation. + +## EXAMPLES + +### Example 1: Create a Bookmark Relation +```powershell +PS C:\> $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" +PS C:\> $bookmarkRelation = New-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($incident.Id) +``` + +This command creates a Bookmark Relation connecting the Incident to the Bookmark. + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Relation +Represents a relation between two resources +To construct, see NOTES section for RELATION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +RELATION : Represents a relation between two resources + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[RelatedResourceId ]`: The resource ID of the related resource + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md new file mode 100644 index 000000000000..ab0bfa8b9ad3 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -0,0 +1,965 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentineldataconnector +schema: 2.0.0 +--- + +# New-AzSentinelDataConnector + +## SYNOPSIS +Creates or updates the data connector. + +## SYNTAX + +### AADAATP (Default) +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### AmazonWebServicesCloudTrail +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn + -Kind [-DataConnectorId ] [-SubscriptionId ] [-Logs ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### AmazonWebServicesS3 +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn + -DetinationTable -Kind -Logs -SQSURL + [-DataConnectorId ] [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] +``` + +### AzureSecurityCenter +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -ASCSubscriptionId + -Kind [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### Dynamics365 +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-CommonDataServiceActivity ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### GenericUI +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName + -AvailabilityIsPreview -Kind + -UiConfigConnectivityCriterion -UiConfigDataType + -UiConfigDescriptionMarkdown -UiConfigGraphQueriesTableName + -UiConfigGraphQuery -UiConfigInstructionStep + -UiConfigPublisher -UiConfigSampleQuery -UiConfigTitle + [-DataConnectorId ] [-SubscriptionId ] [-AvailabilityStatus ] + [-PermissionCustom ] + [-PermissionResourceProvider ] [-UiConfigCustomImage ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftCloudAppSecurity +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLogs ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### MicrosoftDefenderAdvancedThreatProtection +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftThreatIntelligence +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-BingSafetyPhishingURL ] + [-BingSafetyPhishingUrlLookbackPeriod ] [-MicrosoftEmergingThreatFeed ] + [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftThreatProtection +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Incidents ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### Office365 +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Exchange ] [-SharePoint ] + [-Teams ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### OfficeATP +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### OfficeIRM +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### ThreatIntelligence +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Indicators ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### ThreatIntelligenceTaxii +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -APIRootURL + -CollectionId -FriendlyName -Kind -PollingFrequency + -WorkspaceId [-DataConnectorId ] [-SubscriptionId ] [-Password ] + [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the data connector. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\>New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +``` + +This command enables the Threat Intelligence data connector + +## PARAMETERS + +### -Alerts + + +```yaml +Type: System.String +Parameter Sets: AADAATP, AzureSecurityCenter, MicrosoftCloudAppSecurity, MicrosoftDefenderAdvancedThreatProtection, OfficeATP, OfficeIRM +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -APIRootURL + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ASCSubscriptionId +ASC Subscription Id. + +```yaml +Type: System.String +Parameter Sets: AzureSecurityCenter +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityIsPreview +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.Boolean +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityStatus +[Parameter(ParameterSetName = 'APIPolling')] + +```yaml +Type: System.Int32 +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: 1 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AWSRoleArn + + +```yaml +Type: System.String +Parameter Sets: AmazonWebServicesCloudTrail, AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishingURL + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishingUrlLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CollectionId + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CommonDataServiceActivity + + +```yaml +Type: System.String +Parameter Sets: Dynamics365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataConnectorId +The Id of the Data Connector. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DetinationTable + + +```yaml +Type: System.String +Parameter Sets: AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryLogs + + +```yaml +Type: System.String +Parameter Sets: MicrosoftCloudAppSecurity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Exchange + + +```yaml +Type: System.String +Parameter Sets: Office365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FriendlyName + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Incidents + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatProtection +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Indicators + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the data connection + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Logs + + +```yaml +Type: System.String +Parameter Sets: AmazonWebServicesCloudTrail, AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeed + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeedLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionCustom +[Parameter(ParameterSetName = 'APIPolling')] +To construct, see NOTES section for PERMISSIONCUSTOM properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[] +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionResourceProvider +[Parameter(ParameterSetName = 'APIPolling')] +To construct, see NOTES section for PERMISSIONRESOURCEPROVIDER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[] +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PollingFrequency + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePoint + + +```yaml +Type: System.String +Parameter Sets: Office365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SQSURL + + +```yaml +Type: System.String[] +Parameter Sets: AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TaxiiLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Teams + + +```yaml +Type: System.String +Parameter Sets: Office365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantId +The TenantId. + +```yaml +Type: System.String +Parameter Sets: AADAATP, Dynamics365, MicrosoftCloudAppSecurity, MicrosoftDefenderAdvancedThreatProtection, MicrosoftThreatIntelligence, MicrosoftThreatProtection, Office365, OfficeATP, OfficeIRM, ThreatIntelligence, ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Tenant.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigConnectivityCriterion +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigCustomImage +[Parameter(ParameterSetName = 'APIPolling')] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDataType +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGDATATYPE properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDescriptionMarkdown +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQueriesTableName +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQuery +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGGRAPHQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigInstructionStep +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGINSTRUCTIONSTEP properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigPublisher +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigSampleQuery +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGSAMPLEQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigTitle +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceId + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +PERMISSIONCUSTOM : [Parameter(ParameterSetName = 'APIPolling')] + - `[Description ]`: Customs permissions description + - `[Name ]`: Customs permissions name + +PERMISSIONRESOURCEPROVIDER : [Parameter(ParameterSetName = 'APIPolling')] + - `[PermissionsDisplayText ]`: Permission description text + - `[Provider ]`: Provider name + - `[ProviderDisplayName ]`: Permission provider display name + - `[RequiredPermissionAction ]`: action permission + - `[RequiredPermissionDelete ]`: delete permission + - `[RequiredPermissionRead ]`: read permission + - `[RequiredPermissionWrite ]`: write permission + - `[Scope ]`: Permission provider scope + +UICONFIGCONNECTIVITYCRITERION : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[Type ]`: type of connectivity + - `[Value ]`: Queries for checking connectivity + +UICONFIGDATATYPE : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[LastDataReceivedQuery ]`: Query for indicate last data received + - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder + +UICONFIGGRAPHQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[BaseQuery ]`: The base query for the graph + - `[Legend ]`: The legend for the graph + - `[MetricName ]`: the metric that the query is checking + +UICONFIGINSTRUCTIONSTEP : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[Description ]`: Instruction step description + - `[Instruction ]`: Instruction step details + - `Type `: The kind of the setting + - `[Parameter ]`: The parameters for the setting + - `[Title ]`: Instruction step title + +UICONFIGSAMPLEQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[Description ]`: The sample query description + - `[Query ]`: the sample query + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..9fcd5d83ba05 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -0,0 +1,352 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery +schema: 2.0.0 +--- + +# New-AzSentinelEntityQuery + +## SYNOPSIS +Creates or updates the entity query. + +## SYNTAX + +``` +New-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName -Content + -Description -InputEntityType -Kind -QueryDefinitionQuery + -Title [-EntityQueryId ] [-SubscriptionId ] + [-EntitiesFilter ] [-RequiredInputFieldsSet ] + [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates or updates the entity query. + +## EXAMPLES + +### Example 1: Create Entity Query +```powershell +PS C:\> $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" +PS C:\> New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" [-EntityQueryId ] -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) + +Title : The user has created an account +Name : 6d37a904-d199-43ff-892b-53653b784122 +Content : The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s) +Description : This activity displays account creation events performed by the user +Enabled : True +Kind : Activity +CreatedTimeUtc : 12/22/2021 11:44:34 AM +LastModifiedTimeUtc : 12/22/2021 11:47:13 AM + +``` + +This command creates an Entity Query by using a Template. + +### Example 2: Create Entity Query +```powershell +PS C:\> New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} + +``` + +This command creates an Entity Query. + +## PARAMETERS + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Content + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntitiesFilter +To construct, see NOTES section for ENTITIESFILTER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityQueryId +The Id of the Entity Query. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputEntityType + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the Entity Query + +```yaml +Type: System.Object +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryDefinitionQuery + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RequiredInputFieldsSet + + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TemplateName + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +ENTITIESFILTER : + - `[(Any) ]`: This indicates any property can be added to this object. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncident.md b/src/SecurityInsights/docs/New-AzSentinelIncident.md new file mode 100644 index 000000000000..6672c54add32 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncident.md @@ -0,0 +1,455 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincident +schema: 2.0.0 +--- + +# New-AzSentinelIncident + +## SYNOPSIS +Creates or updates the incident. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Classification ] [-ClassificationComment ] + [-ClassificationReason ] [-Description ] + [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] + [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] + [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] + [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelIncident -ResourceGroupName -WorkspaceName -Incident + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident. + +## EXAMPLES + +### Example 1: Create an Incident +```powershell +PS C:\> New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Title "NewIncident" -Description "My Description" -Severity Low -Status New + +Title : NewIncident +Description : My Description +Severity : Low +Status : New +Number : 779 +CreatedTimeUtc : 2/3/2022 7:47:03 PM +Name : c831b5a7-5644-403f-9dc3-96d651e04c6d +Url : https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/cyber-soc/providers/Microsoft.OperationalInsights/workspaces/myworkspace/providers/Microsoft.SecurityInsights/Incidents/c831b5a7-5644-403f-9dc3-96d651e04c6d +``` + +This command creates an Incident. + +## PARAMETERS + +### -Classification +The reason the incident was closed + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassification +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationComment +Describes the reason the incident was closed + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationReason +The classification reason the incident was closed with + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassificationReason +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +The description of the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FirstActivityTimeUtc +The time of the first activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Incident +Represents an incident in Azure Security Insights. +To construct, see NOTES section for INCIDENT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this incident +To construct, see NOTES section for LABEL properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentLabel[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastActivityTimeUtc +The time of the last activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerAssignedTo +The name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerEmail +The email of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerObjectId +The object id of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerUserPrincipalName +The user principal name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderIncidentId +The incident ID assigned by the incident provider + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderName +The name of the source provider that generated the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Status +The status of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentStatus +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title +The title of the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INCIDENT : Represents an incident in Azure Security Insights. + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[Classification ]`: The reason the incident was closed + - `[ClassificationComment ]`: Describes the reason the incident was closed + - `[ClassificationReason ]`: The classification reason the incident was closed with + - `[Description ]`: The description of the incident + - `[FirstActivityTimeUtc ]`: The time of the first activity in the incident + - `[Label ]`: List of labels relevant to this incident + - `LabelName `: The name of the label + - `[LastActivityTimeUtc ]`: The time of the last activity in the incident + - `[OwnerAssignedTo ]`: The name of the user the incident is assigned to. + - `[OwnerEmail ]`: The email of the user the incident is assigned to. + - `[OwnerObjectId ]`: The object id of the user the incident is assigned to. + - `[OwnerUserPrincipalName ]`: The user principal name of the user the incident is assigned to. + - `[ProviderIncidentId ]`: The incident ID assigned by the incident provider + - `[ProviderName ]`: The name of the source provider that generated the incident + - `[Severity ]`: The severity of the incident + - `[Status ]`: The status of the incident + - `[Title ]`: The title of the incident + +LABEL : List of labels relevant to this incident + - `LabelName `: The name of the label + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..3df277daa1ee --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md @@ -0,0 +1,217 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincidentcomment +schema: 2.0.0 +--- + +# New-AzSentinelIncidentComment + +## SYNOPSIS +Creates or updates the incident comment. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Message ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + -IncidentComment [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident comment. + +## EXAMPLES + +### Example 1: Create an Incident Comment +```powershell +PS C:\> New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" + +``` + +This command creates an Incident Comment. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentComment +Represents an incident comment +To construct, see NOTES section for INCIDENTCOMMENT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Message +The comment message + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INCIDENTCOMMENT : Represents an incident comment + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[AuthorEmail ]`: The email of the client. + - `[AuthorName ]`: The name of the client. + - `[AuthorObjectId ]`: The object id of the client. + - `[AuthorUserPrincipalName ]`: The user principal name of the client. + - `[Message ]`: The comment message + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..e83e3b02fbee --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md @@ -0,0 +1,218 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincidentrelation +schema: 2.0.0 +--- + +# New-AzSentinelIncidentRelation + +## SYNOPSIS +Creates or updates the incident relation. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates or updates the incident relation. + +## EXAMPLES + +### Example 1: Create a Incident Relation +```powershell +PS C:\> $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" +PS C:\> New-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) + +Name : 4b112bd9-a6b5-44f6-b89d-8bcbf021fbdf +RelatedResourceName : a636a51c-471a-468d-89ed-d7f4b2a7a569 +RelatedResourceKind : +RelatedResourceType : Microsoft.SecurityInsights/Bookmarks +``` + +This command creates a Incident Relation connecting the Bookmark to the Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Relation +Represents a relation between two resources +To construct, see NOTES section for RELATION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +RELATION : Represents a relation between two resources + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[RelatedResourceId ]`: The resource ID of the related resource + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md new file mode 100644 index 000000000000..86f26d47dbec --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md @@ -0,0 +1,261 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincidentteam +schema: 2.0.0 +--- + +# New-AzSentinelIncidentTeam + +## SYNOPSIS +Creates a Microsoft team to investigate the incident by sharing information and insights between participants. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -WorkspaceName + -TeamName [-SubscriptionId ] [-GroupId ] [-MemberId ] + [-TeamDescription ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -WorkspaceName + -TeamProperty [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates a Microsoft team to investigate the incident by sharing information and insights between participants. + +## EXAMPLES + +### Example 1: Create an Incident Teams Room +```powershell +PS C:\> $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" +PS C:\> New-AzSentinelIncidentTeam -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId ($incident.Name) -TeamName ("Incident "+$incident.incidentNumber+": "+$incident.title) + +Description : +Name : Incident : NewIncident3 +PrimaryChannelUrl : https://teams.microsoft.com/l/team/19:vYoGjeGlZmTEDmu0gTbrk9T_eDS4pKIkEU7UuM1IyZk1%40thread.tacv2/conversations?groupId=3c637cc5-caf1-46c7-93ac-069c6 + 4b05395&tenantId=8f21ced5-2eff-4f8d-aff1-4dbb4cee8e3d +TeamCreationTimeUtc : 2/4/2022 3:02:03 PM +TeamId : 3c637cc5-caf1-46c7-93ac-069c64b05395 +``` + +This command creates a Teams group for the Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupId +List of group IDs to add their members to the team + +```yaml +Type: System.String[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MemberId +List of member IDs to add to the team + +```yaml +Type: System.String[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TeamDescription +The description of the team + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TeamName +The name of the team + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TeamProperty +Describes team properties +To construct, see NOTES section for TEAMPROPERTY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamProperties +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamProperties + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamInformation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +TEAMPROPERTY : Describes team properties + - `TeamName `: The name of the team + - `[GroupId ]`: List of group IDs to add their members to the team + - `[MemberId ]`: List of member IDs to add to the team + - `[TeamDescription ]`: The description of the team + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..54aa96c4da10 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md @@ -0,0 +1,214 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelonboardingstate +schema: 2.0.0 +--- + +# New-AzSentinelOnboardingState + +## SYNOPSIS +Create Sentinel onboarding state + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-CustomerManagedKey] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + -SentinelOnboardingStateParameter [-SubscriptionId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Create Sentinel onboarding state + +## EXAMPLES + +### Example 1: Add Sentinel onboarding state +```powershell +PS C:\>AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" + +``` + +This command configures the onboarding state of Sentinel + +## PARAMETERS + +### -CustomerManagedKey +Flag that indicates the status of the CMK setting + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SentinelOnboardingStateParameter +Sentinel onboarding state +To construct, see NOTES section for SENTINELONBOARDINGSTATEPARAMETER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +SENTINELONBOARDINGSTATEPARAMETER : Sentinel onboarding state + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[CustomerManagedKey ]`: Flag that indicates the status of the CMK setting + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/README.md b/src/SecurityInsights/docs/README.md new file mode 100644 index 000000000000..ea77161005f3 --- /dev/null +++ b/src/SecurityInsights/docs/README.md @@ -0,0 +1,11 @@ +# Docs +This directory contains the documentation of the cmdlets for the `Az.SecurityInsights` module. To run documentation generation, use the `generate-help.ps1` script at the root module folder. Files in this folder will *always be overridden on regeneration*. To update documentation examples, please use the `../examples` folder. + +## Info +- Modifiable: no +- Generated: all +- Committed: yes +- Packaged: yes + +## Details +The process of documentation generation loads `Az.SecurityInsights` and analyzes the exported cmdlets from the module. It recognizes the [help comments](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comment_based_help) that are generated into the scripts in the `../exports` folder. Additionally, when writing custom cmdlets in the `../custom` folder, you can use the help comments syntax, which decorate the exported scripts at build-time. The documentation examples are taken from the `../examples` folder. \ No newline at end of file diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md new file mode 100644 index 000000000000..b2abf8108dc4 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md @@ -0,0 +1,225 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelalertrule +schema: 2.0.0 +--- + +# Remove-AzSentinelAlertRule + +## SYNOPSIS +Delete the alert rule. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelAlertRule -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the alert rule. + +## EXAMPLES + +### Example 1: Remove an alert rule +```powershell +PS C:\>Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 4a21e485-75ae-48b3-a7b9-e6a92bcfe434 + +``` + +The command removes a Sentinel alert rule + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..2f0d97da470c --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md @@ -0,0 +1,241 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelalertruleaction +schema: 2.0.0 +--- + +# Remove-AzSentinelAlertRuleAction + +## SYNOPSIS +Delete the action of alert rule. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelAlertRuleAction -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the action of alert rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\>Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 + +``` + +This command removes an alert rule action. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: ActionId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..5920606fa399 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md @@ -0,0 +1,225 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelautomationrule +schema: 2.0.0 +--- + +# Remove-AzSentinelAutomationRule + +## SYNOPSIS +Delete the automation rule. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelAutomationRule -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the automation rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\>Remove-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 + +``` + +This command removes a Sentinel automation rule + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: AutomationRuleId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md new file mode 100644 index 000000000000..a4e40d3dd50d --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md @@ -0,0 +1,225 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelbookmark +schema: 2.0.0 +--- + +# Remove-AzSentinelBookmark + +## SYNOPSIS +Delete the bookmark. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelBookmark -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the bookmark. + +## EXAMPLES + +### Example 1: Remove a Sentinel Bookmark +```powershell +PS C:\>Remove-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id + +``` + +This command removes a bookmark + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: BookmarkId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..a657339f8dd9 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md @@ -0,0 +1,241 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# Remove-AzSentinelBookmarkRelation + +## SYNOPSIS +Delete the bookmark relation. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelBookmarkRelation -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the bookmark relation. + +## EXAMPLES + +### Example 1: Remove a bookmark relation +```powershell +PS C:\> Remove-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 83846045-d8dc-4d6b-abbe-7588219c474e -RelationName 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 + +``` + +This command removes a bookmarkrelation + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md new file mode 100644 index 000000000000..e1a671d9c580 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md @@ -0,0 +1,225 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentineldataconnector +schema: 2.0.0 +--- + +# Remove-AzSentinelDataConnector + +## SYNOPSIS +Delete the data connector. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelDataConnector -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the data connector. + +## EXAMPLES + +### Example 1: Removes Sentinel Data Connector +```powershell +PS C:\>Remove-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 661b961f-53d8-4bd1-be97-24e808fd04f5 + +``` + +This command removes a data connector. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Connector ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: DataConnectorId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..dee86bf71862 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md @@ -0,0 +1,234 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelentityquery +schema: 2.0.0 +--- + +# Remove-AzSentinelEntityQuery + +## SYNOPSIS +Delete the entity query. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelEntityQuery -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelEntityQuery -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the entity query. + +## EXAMPLES + +### Example 1: Remove Entity Query +```powershell +PS C:\> Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" + +``` + +This command removes a specific entity query based on the entity query Id + +### Example 2: Remove an Entity Query based on the title +```powershell +PS C:\> $queryTemplateId = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Title -eq "The user has created an account"} +Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id $queryTemplateId.Name + +``` + +This command removes a specific entity query based on the title + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity query ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: EntityQueryId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md new file mode 100644 index 000000000000..b76343c14cde --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md @@ -0,0 +1,233 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelincident +schema: 2.0.0 +--- + +# Remove-AzSentinelIncident + +## SYNOPSIS +Delete the incident. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelIncident -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the incident. + +## EXAMPLES + +### Example 1: Removes an incident based on the incident Id +```powershell +PS C:\>Remove-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id + +``` + +This command removes an incident based on the incident id. + +### Example 2: Removes an incident based on the incident number +```powershell +PS C:\>$myIncident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id | Where-Object {$_.Number -eq "780"} + +``` + +The command removes an incident based on an incident number. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: IncidentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..b05324d0e3ac --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md @@ -0,0 +1,242 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelincidentcomment +schema: 2.0.0 +--- + +# Remove-AzSentinelIncidentComment + +## SYNOPSIS +Delete the incident comment. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelIncidentComment -Id -IncidentId -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelIncidentComment -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the incident comment. + +## EXAMPLES + +### Example 1: Remove an incident comment +```powershell +PS C:\>Remove-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 7a4c27ea-d61a-496b-b5c3-246770c857c1 + +This command removes an incident comment +``` + + + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: IncidentCommentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..93969ff9e8b4 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -0,0 +1,241 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelincidentrelation +schema: 2.0.0 +--- + +# Remove-AzSentinelIncidentRelation + +## SYNOPSIS +Delete the incident relation. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelIncidentRelation -IncidentId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelIncidentRelation -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the incident relation. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\>Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelationName 7a4c27ea-d61a-496b-b5c3-246770c857c1 + +``` + +This command removes the incident relation + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..6a6e5ee4d2d8 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md @@ -0,0 +1,226 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelonboardingstate +schema: 2.0.0 +--- + +# Remove-AzSentinelOnboardingState + +## SYNOPSIS +Delete Sentinel onboarding state + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelOnboardingState -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete Sentinel onboarding state + +## EXAMPLES + +### Example 1: Remove the Sentinel onboarding state +```powershell +PS C:\>Remove-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" + +``` + +This commands removes the Sentinel onboarding state + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md new file mode 100644 index 000000000000..ba8341f1cf06 --- /dev/null +++ b/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md @@ -0,0 +1,243 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/test-azsentineldataconnectorcheckrequirement +schema: 2.0.0 +--- + +# Test-AzSentinelDataConnectorCheckRequirement + +## SYNOPSIS +Get requirements state for a data connector type. + +## SYNTAX + +### AADTenant (Default) +``` +Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName -WorkspaceName + -Kind [-SubscriptionId ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### AzureSecurityCenter +``` +Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName -WorkspaceName + -ASCSubscriptionId -Kind [-SubscriptionId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Get requirements state for a data connector type. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -ASCSubscriptionId +ASC Subscription Id. + +```yaml +Type: System.String +Parameter Sets: AzureSecurityCenter +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +[Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] +[Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] +[Parameter(ParameterSetName = 'GenericUI', Mandatory)] + The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the data connection + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantId +The TenantId. + +```yaml +Type: System.String +Parameter Sets: AADTenant +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Tenant.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md new file mode 100644 index 000000000000..61cd88beb690 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -0,0 +1,849 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/Update-azsentinelalertrule +schema: 2.0.0 +--- + +# Update-AzSentinelAlertRule + +## SYNOPSIS +Updates the alert rule. + +## SYNTAX + +### UpdateScheduled (Default) +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] + [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] + [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] + [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Scheduled] [-Confirm] [-WhatIf] [] +``` + +### UpdateFusionMLTI +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertRuleTemplateName ] [-Enabled] [-DefaultProfile ] [-AsJob] + [-FusionMLorTI] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftSecurityIncidentCreation +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertRuleTemplateName ] [-Description ] + [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] + [-ProductFilter ] [-SeveritiesFilter ] + [-DefaultProfile ] [-AsJob] [-MicrosoftSecurityIncidentCreation] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateNRT +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] + [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] + [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] + [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] + [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] + [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] + [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-NRT] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityFusionMLTI +``` +Update-AzSentinelAlertRule -InputObject [-AlertRuleTemplateName ] + [-Enabled] [-DefaultProfile ] [-AsJob] [-FusionMLorTI] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityMicrosoftSecurityIncidentCreation +``` +Update-AzSentinelAlertRule -InputObject [-AlertRuleTemplateName ] + [-Description ] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] + [-ProductFilter ] [-SeveritiesFilter ] + [-DefaultProfile ] [-AsJob] [-MicrosoftSecurityIncidentCreation] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityNRT +``` +Update-AzSentinelAlertRule -InputObject [-AlertDescriptionFormat ] + [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] + [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] + [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] + [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-NRT] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityUpdateScheduled +``` +Update-AzSentinelAlertRule -InputObject [-AlertDescriptionFormat ] + [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] + [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] + [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] + [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Scheduled] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates the alert rule. + +## EXAMPLES + +### Example 1: Update an scheduled alert rule +```powershell +PS C:\>Update-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -ruleId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Query "SecurityAlert | take 2" + +``` + +This command updates a scheduled alert rule + +## PARAMETERS + +### -AlertDescriptionFormat + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertDisplayNameFormat + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertRuleTemplateName + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertSeverityColumnName + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertTacticsColumnName + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreateIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled, UpdateViaIdentityMicrosoftSecurityIncidentCreation, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesExcludeFilter + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesFilter + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityMapping +'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +To construct, see NOTES section for ENTITYMAPPING properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventGroupingSettingAggregationKind + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FusionMLorTI + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateFusionMLTI, UpdateViaIdentityFusionMLTI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByAlertDetail + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByCustomDetail + + +```yaml +Type: System.String[] +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByEntity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupingConfigurationEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityFusionMLTI, UpdateViaIdentityMicrosoftSecurityIncidentCreation, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -LookbackDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MatchingMethod + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: "AllEntities" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftSecurityIncidentCreation + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NRT + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateViaIdentityNRT +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProductFilter + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryFrequency + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryPeriod + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReOpenClosedIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +[Alias('RuleId')] + The name of Operational Insights Resource Provider. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Scheduled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SeveritiesFilter +High, Medium, Low, Informational + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[] +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tactic + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerOperator + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerThreshold + + +```yaml +Type: System.Int32 +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + - `[EntityType ]`: The V3 type of the mapped entity + - `[FieldMapping ]`: array of field mappings for the given entity mapping + - `[ColumnName ]`: the column name to be mapped to the identifier + - `[Identifier ]`: the V3 identifier of the entity + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..fd6293696df4 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md @@ -0,0 +1,258 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelalertruleaction +schema: 2.0.0 +--- + +# Update-AzSentinelAlertRuleAction + +## SYNOPSIS +Creates or updates the action of alert rule. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelAlertRuleAction -InputObject [-LogicAppResourceId ] + [-TriggerUri ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the action of alert rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\>$LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +PS C:\>$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +PS C:\>Update-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) + +``` + +This command updates an alert rule action + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: ActionId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -LogicAppResourceId +Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerUri +Logic App Callback URL for this specific workflow. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..32387cd6fe0c --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md @@ -0,0 +1,316 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelautomationrule +schema: 2.0.0 +--- + +# Update-AzSentinelAutomationRule + +## SYNOPSIS +Creates or updates the automation rule. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Action ] [-DisplayName ] [-Order ] + [-TriggeringLogicCondition ] [-TriggeringLogicExpirationTimeUtc ] + [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelAutomationRule -InputObject [-Action ] + [-DisplayName ] [-Order ] [-TriggeringLogicCondition ] + [-TriggeringLogicExpirationTimeUtc ] [-TriggeringLogicIsEnabled] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the automation rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\> $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" +PS C:\> $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() +PS C:\> $automationRuleAction.Order = 1 +PS C:\> $automationRuleAction.ActionType = "RunPlaybook" +PS C:\> $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) +PS C:\> $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id +PS C:\> Update-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled + + +``` + +This command updates an automation rule + +## PARAMETERS + +### -Action +The actions to execute when the automation rule is triggered +To construct, see NOTES section for ACTION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleAction[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the automation rule + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: AutomationRuleId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Order +The order of execution of the automation rule + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicCondition +The conditions to evaluate to determine if the automation rule should be triggered on a given object + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleCondition[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicExpirationTimeUtc +Determines when the automation rule should automatically expire and be disabled. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicIsEnabled +Determines whether the automation rule is enabled or disabled. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +ACTION : The actions to execute when the automation rule is triggered + - `ActionType `: The type of the automation rule action + - `Order `: The order of execution of the automation rule action + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md new file mode 100644 index 000000000000..45ea63679831 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md @@ -0,0 +1,399 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelbookmark +schema: 2.0.0 +--- + +# Update-AzSentinelBookmark + +## SYNOPSIS +Creates or updates the bookmark. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] + [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] + [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] + [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelBookmark -InputObject [-DisplayName ] + [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] + [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] + [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the bookmark. + +## EXAMPLES + +### Example 1: Update Sentinel Bookmark +```powershell +PS C:\> $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime + +This command updates a bookmark +``` + + + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the bookmark + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventTime +The bookmark event time + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: BookmarkId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoIncidentId +Incident Id + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoRelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoSeverity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoTitle +The title of the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this bookmark + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Note +The notes of the bookmark + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query +The query of the bookmark. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryEndTime +The end time for the query + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryResult +The query result of the bookmark. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryStartTime +The start time for the query + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..b1afdbebaa24 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md @@ -0,0 +1,241 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# Update-AzSentinelBookmarkRelation + +## SYNOPSIS +Creates the bookmark relation. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelBookmarkRelation -InputObject [-RelatedResourceId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates the bookmark relation. + +## EXAMPLES + +### Example 1: Update a Bookmark relation +```powershell +PS C:\>Update-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 -RelationName f185b6f8-1a0d-43eb-97de-67720839ac67 -RelatedResourceId f185b6f8-1a0d-43eb-97de-67720839ac67 + +``` + +This command updates a bookmark relation + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md new file mode 100644 index 000000000000..4082cabed0dd --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -0,0 +1,1103 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentineldataconnector +schema: 2.0.0 +--- + +# Update-AzSentinelDataConnector + +## SYNOPSIS +Updates the data connector. + +## SYNTAX + +### UpdateAADAATP (Default) +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateAmazonWebServicesCloudTrail +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateAmazonWebServicesS3 +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] + [-SQSURL ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateAzureSecurityCenter +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-ASCSubscriptionId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateDynamics365 +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateGenericUI +``` +Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-AvailabilityStatus ] + [-PermissionCustom ] + [-PermissionResourceProvider ] + [-UiConfigConnectivityCriterion ] [-UiConfigCustomImage ] + [-UiConfigDataType ] [-UiConfigDescriptionMarkdown ] + [-UiConfigGraphQueriesTableName ] [-UiConfigGraphQuery ] + [-UiConfigInstructionStep ] [-UiConfigPublisher ] + [-UiConfigSampleQuery ] [-UiConfigTitle ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftCloudAppSecurity +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-DiscoveryLogs ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftDefenderAdvancedThreatProtection +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftThreatIntelligence +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateMicrosoftThreatProtection +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Incidents ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateOffice365 +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateOfficeATP +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateOfficeIRM +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateThreatIntelligence +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Indicators ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateThreatIntelligenceTaxii +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + -APIRootURL [-SubscriptionId ] [-CollectionId ] [-FriendlyName ] + [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] + [-TenantId ] [-UserName ] [-WorkspaceId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityAADAATP +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityAmazonWebServicesCloudTrail +``` +Update-AzSentinelDataConnector -InputObject [-AWSRoleArn ] + [-Logs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityAmazonWebServicesS3 +``` +Update-AzSentinelDataConnector -InputObject [-AWSRoleArn ] + [-DetinationTable ] [-Logs ] [-SQSURL ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityAzureSecurityCenter +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-ASCSubscriptionId ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] +``` + +### UpdateViaIdentityDynamics365 +``` +Update-AzSentinelDataConnector -InputObject [-CommonDataServiceActivity ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityGenericUI +``` +Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-AvailabilityStatus ] + [-PermissionCustom ] + [-PermissionResourceProvider ] + [-UiConfigConnectivityCriterion ] [-UiConfigCustomImage ] + [-UiConfigDataType ] [-UiConfigDescriptionMarkdown ] + [-UiConfigGraphQueriesTableName ] [-UiConfigGraphQuery ] + [-UiConfigInstructionStep ] [-UiConfigPublisher ] + [-UiConfigSampleQuery ] [-UiConfigTitle ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityMicrosoftCloudAppSecurity +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-DiscoveryLogs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] +``` + +### UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityMicrosoftThreatIntelligence +``` +Update-AzSentinelDataConnector -InputObject + [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityMicrosoftThreatProtection +``` +Update-AzSentinelDataConnector -InputObject [-Incidents ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityOffice365 +``` +Update-AzSentinelDataConnector -InputObject [-Exchange ] + [-SharePoint ] [-Teams ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityOfficeATP +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityOfficeIRM +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityThreatIntelligence +``` +Update-AzSentinelDataConnector -InputObject [-Indicators ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityThreatIntelligenceTaxii +``` +Update-AzSentinelDataConnector -InputObject [-CollectionId ] + [-FriendlyName ] [-Password ] [-PollingFrequency ] + [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates the data connector. + +## EXAMPLES + +### Example 1: Update a Sentinel data connector +```powershell +PS C:\>Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" + +``` + +This command updates a Sentinel data connector + +## PARAMETERS + +### -Alerts + + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAzureSecurityCenter, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateOfficeATP, UpdateOfficeIRM, UpdateViaIdentityAADAATP, UpdateViaIdentityAzureSecurityCenter, UpdateViaIdentityMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityOfficeATP, UpdateViaIdentityOfficeIRM +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -APIRootURL + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ASCSubscriptionId +ASC Subscription Id. + +```yaml +Type: System.String +Parameter Sets: UpdateAzureSecurityCenter, UpdateViaIdentityAzureSecurityCenter +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityIsPreview + + +```yaml +Type: System.Boolean +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityStatus + + +```yaml +Type: System.Int32 +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: 1 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AWSRoleArn + + +```yaml +Type: System.String +Parameter Sets: UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishingUrlLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishinURL + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CollectionId + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CommonDataServiceActivity + + +```yaml +Type: System.String +Parameter Sets: UpdateDynamics365, UpdateViaIdentityDynamics365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataConnectorId +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The Id of the Data Connector. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DetinationTable + + +```yaml +Type: System.String +Parameter Sets: UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryLogs + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftCloudAppSecurity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Exchange + + +```yaml +Type: System.String +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FriendlyName + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Incidents + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatProtection, UpdateViaIdentityMicrosoftThreatProtection +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Indicators + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligence, UpdateViaIdentityThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] + Identity Parameter + +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityAADAATP, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3, UpdateViaIdentityAzureSecurityCenter, UpdateViaIdentityDynamics365, UpdateViaIdentityMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatProtection, UpdateViaIdentityOffice365, UpdateViaIdentityOfficeATP, UpdateViaIdentityOfficeIRM, UpdateViaIdentityThreatIntelligence, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Logs + + +```yaml +Type: System.String +Parameter Sets: UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeed + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeedLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionCustom +To construct, see NOTES section for PERMISSIONCUSTOM properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionResourceProvider +To construct, see NOTES section for PERMISSIONRESOURCEPROVIDER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PollingFrequency + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePoint + + +```yaml +Type: System.String +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SQSURL + + +```yaml +Type: System.String[] +Parameter Sets: UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +[Parameter(ParameterSetName = 'UpdateGenericUI')] + Gets subscription credentials which uniquely identify Microsoft Azure subscription. + The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TaxiiLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Teams + + +```yaml +Type: System.String +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantId +[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + The TenantId. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii, UpdateViaIdentityAADAATP, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3, UpdateViaIdentityAzureSecurityCenter, UpdateViaIdentityDynamics365, UpdateViaIdentityMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatProtection, UpdateViaIdentityOffice365, UpdateViaIdentityOfficeATP, UpdateViaIdentityOfficeIRM, UpdateViaIdentityThreatIntelligence, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Tenant.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigConnectivityCriterion +To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigCustomImage + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDataType +To construct, see NOTES section for UICONFIGDATATYPE properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDescriptionMarkdown + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQueriesTableName + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQuery +To construct, see NOTES section for UICONFIGGRAPHQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigInstructionStep +To construct, see NOTES section for UICONFIGINSTRUCTIONSTEP properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigPublisher + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigSampleQuery +To construct, see NOTES section for UICONFIGSAMPLEQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigTitle + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceId + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +PERMISSIONCUSTOM : + - `[Description ]`: Customs permissions description + - `[Name ]`: Customs permissions name + +PERMISSIONRESOURCEPROVIDER : + - `[PermissionsDisplayText ]`: Permission description text + - `[Provider ]`: Provider name + - `[ProviderDisplayName ]`: Permission provider display name + - `[RequiredPermissionAction ]`: action permission + - `[RequiredPermissionDelete ]`: delete permission + - `[RequiredPermissionRead ]`: read permission + - `[RequiredPermissionWrite ]`: write permission + - `[Scope ]`: Permission provider scope + +UICONFIGCONNECTIVITYCRITERION : + - `[Type ]`: type of connectivity + - `[Value ]`: Queries for checking connectivity + +UICONFIGDATATYPE : + - `[LastDataReceivedQuery ]`: Query for indicate last data received + - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder + +UICONFIGGRAPHQUERY : + - `[BaseQuery ]`: The base query for the graph + - `[Legend ]`: The legend for the graph + - `[MetricName ]`: the metric that the query is checking + +UICONFIGINSTRUCTIONSTEP : + - `[Description ]`: Instruction step description + - `[Instruction ]`: Instruction step details + - `Type `: The kind of the setting + - `[Parameter ]`: The parameters for the setting + - `[Title ]`: Instruction step title + +UICONFIGSAMPLEQUERY : + - `[Description ]`: The sample query description + - `[Query ]`: the sample query + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..33db3190b520 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md @@ -0,0 +1,410 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelentityquery +schema: 2.0.0 +--- + +# Update-AzSentinelEntityQuery + +## SYNOPSIS +Updates the entity query. + +## SYNTAX + +### UpdateActivity (Default) +``` +Update-AzSentinelEntityQuery -EntityQueryId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Content ] [-Description ] [-Disabled] [-Enabled] + [-EntitiesFilter ] [-InputEntityType ] + [-QueryDefinitionQuery ] [-RequiredInputFieldsSet ] [-TemplateName ] + [-Title ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityActivity +``` +Update-AzSentinelEntityQuery -InputObject [-Content ] + [-Description ] [-Disabled] [-Enabled] + [-EntitiesFilter ] [-InputEntityType ] + [-QueryDefinitionQuery ] [-RequiredInputFieldsSet ] [-TemplateName ] + [-Title ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates the entity query. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Content + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Disabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntitiesFilter +To construct, see NOTES section for ENTITIESFILTER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityQueryId +The Id of the Entity Query. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputEntityType + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryDefinitionQuery + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RequiredInputFieldsSet + + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TemplateName + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +ENTITIESFILTER : + - `[(Any) ]`: This indicates any property can be added to this object. + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/docs/Update-AzSentinelIncident.md new file mode 100644 index 000000000000..6ab3349374a1 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelIncident.md @@ -0,0 +1,475 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelincident +schema: 2.0.0 +--- + +# Update-AzSentinelIncident + +## SYNOPSIS +Creates or updates the incident. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Classification ] [-ClassificationComment ] + [-ClassificationReason ] [-Description ] + [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] + [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] + [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] + [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelIncident -InputObject [-Classification ] + [-ClassificationComment ] [-ClassificationReason ] + [-Description ] [-FirstActivityTimeUtc ] [-Label ] + [-LastActivityTimeUtc ] [-OwnerAssignedTo ] [-OwnerEmail ] + [-OwnerObjectId ] [-OwnerUserPrincipalName ] [-ProviderIncidentId ] + [-ProviderName ] [-Severity ] [-Status ] [-Title ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -Classification +The reason the incident was closed + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassification +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationComment +Describes the reason the incident was closed + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationReason +The classification reason the incident was closed with + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassificationReason +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +The description of the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FirstActivityTimeUtc +The time of the first activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: IncidentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this incident +To construct, see NOTES section for LABEL properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentLabel[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastActivityTimeUtc +The time of the last activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerAssignedTo +The name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerEmail +The email of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerObjectId +The object id of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerUserPrincipalName +The user principal name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderIncidentId +The incident ID assigned by the incident provider + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderName +The name of the source provider that generated the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Status +The status of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentStatus +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title +The title of the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +LABEL : List of labels relevant to this incident + - `LabelName `: The name of the label + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..ce2a533fd0e8 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md @@ -0,0 +1,241 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelincidentcomment +schema: 2.0.0 +--- + +# Update-AzSentinelIncidentComment + +## SYNOPSIS +Creates or updates the incident comment. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelIncidentComment -Id -IncidentId -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-Message ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelIncidentComment -InputObject [-Message ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident comment. + +## EXAMPLES + +### Example 1: Update incident comment +```powershell +PS C:\>Update-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 8bb5c1eb-a3a9-4575-9451-cd2834be0e0a -Message "my comment" + +``` + +This command updates an incident comment + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: IncidentCommentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Message +The comment message + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..d3a2c2426da7 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md @@ -0,0 +1,242 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelincidentrelation +schema: 2.0.0 +--- + +# Update-AzSentinelIncidentRelation + +## SYNOPSIS +Creates or updates the incident relation. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelIncidentRelation -IncidentId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelIncidentRelation -InputObject [-RelatedResourceId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident relation. + +## EXAMPLES + +### Example 1: Update an incident relation +```powershell +PS C:\> $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" +PS C:\> Update-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) + +``` + +This command updates an incident relation + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md new file mode 100644 index 000000000000..b008856f850f --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -0,0 +1,301 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelsetting +schema: 2.0.0 +--- + +# Update-AzSentinelSetting + +## SYNOPSIS +Updates setting. + +## SYNTAX + +### UpdateExpandedAnomaliesEyesOnEntityAnalytics (Default) +``` +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName + [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] +``` + +### UpdateExpandedUeba +``` +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName + [-SubscriptionId ] [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +``` +Update-AzSentinelSetting -InputObject [-Disabled] [-Enabled] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpandedUeba +``` +Update-AzSentinelSetting -InputObject [-DataSource ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates setting. + +## EXAMPLES + +### Example 1: Update the Anomalies setting +```powershell +PS C:\> Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled + +``` + +This command updates the Anomalies setting, other settings are: +EyesOn, EntityAnalytics and Ueba + +## PARAMETERS + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataSource + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[] +Parameter Sets: UpdateExpandedUeba, UpdateViaIdentityExpandedUeba +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Disabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled +Anomalies + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SettingsName +The setting Name + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +INPUTOBJECT : Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/examples/Get-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Get-AzSentinelAlertRule.md new file mode 100644 index 000000000000..a72e1165ccf2 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAlertRule.md @@ -0,0 +1,51 @@ +### Example 1: List all Alert Rules +```powershell +PS C:\> Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alert Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule +```powershell +PS C:\> Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "d6c7a42b-c0da-41ef-9629-b3d2d407b181" + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule. + +### Example 3: Get an Alert Rule by object Id +```powershell +PS C:\> $rules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $rules[0] | Get-AzSentinelAlertRule + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..7e4f041c15eb --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md @@ -0,0 +1,14 @@ +### Example 1: List all Actions for a given Alert Rule +```powershell +PS C:\> Get-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "myRuleId" + +LogicAppResourceId : /subscriptions/174b1a81-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/A-Demo-1 +Name : f32239c5-cb9c-48da-a3f6-bd5bd3d924a4 +WorkflowId : 3c73d72560fa4cb6a72a0f10d3a80940 + +LogicAppResourceId : /subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/EmptyPlaybook +Name : cf815c77-bc65-4c02-946f-d81e15e9a100 +WorkflowId : 1ac8ccb8bd134253b4baf0c75fe3ecc6 +``` + +This command lists all Actions for a given Alert Rule. diff --git a/src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md new file mode 100644 index 000000000000..98fcaeba43ea --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md @@ -0,0 +1,39 @@ +### Example 1: List all Alert Rule Templates +```powershell +PS C:\> Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 + +DisplayName : Accessed files shared by temporary external user +Description : This detection identifies an external user is added to a Team or Teams chat + and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + an indicator of suspicious activity. +CreatedDateUtc : 8/18/2020 12:00:00 AM +LastUpdatedDateUtc : 1/3/2022 12:00:00 AM +Kind : Scheduled +Severity : Low +Name : bff058b2-500e-4ae5-bb49-a5b1423cbd5b +``` + +This command lists all Alert Rule Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule Template +```powershell +PS C:\> Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myRuaac495a9-feb1-446d-b08e-a1164a539452leTemplateId" + +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 +``` + +This command gets an Alert Rule Template. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..855d2af87aae --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md @@ -0,0 +1,30 @@ +### Example 1: List all Automation Rules +```powershell +PS C:\> Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 + +``` + +This command lists all Automation Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Automation Rule +```powershell +PS C:\> Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "2f32af32-ad13-4fbb-9fbc-e19e0e7ff767" + +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 +``` + +This command gets an Automation Rule. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelBookmark.md b/src/SecurityInsights/examples/Get-AzSentinelBookmark.md new file mode 100644 index 000000000000..24608e16bd47 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelBookmark.md @@ -0,0 +1,28 @@ +### Example 1: List all Bookmarks +```powershell +PS C:\> Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 + +``` + +This command lists all Bookmarks under a Microsoft Sentinel workspace. + +### Example 2: Get a Bookmark +```powershell +PS C:\> Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "515fc035-2ed8-4fa1-ad7d-28b401e1e0c9" + +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 +``` + +This command gets a Bookmark. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..c14d44334ffb --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md @@ -0,0 +1,33 @@ +### Example 1: List all Bookmark Relations for a given Bookmark +```powershell +PS C:\> Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" + +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command lists all Bookmark Relations for a given Bookmark. + +### Example 2: Get a Bookmark Relation +```powershell +PS C:\> Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" + +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark Relation. + +### Example 3: Get a Bookmark Relation by object Id +```powershell +PS C:\> $Bookmarkrelations = Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" +PS C:\> $Bookmarkrelations[0] | Get-AzSentinelBookmarkRelation + +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Get-AzSentinelDataConnector.md new file mode 100644 index 000000000000..c362280073a5 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelDataConnector.md @@ -0,0 +1,27 @@ +### Example 1: List all Data Connectors +```powershell +PS C:\> Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Kind : AzureActiveDirectory +Name : 8207e1f9-a793-4869-afb1-5ad4540d66d1 + +Kind : AzureAdvancedThreatProtection +Name : 1d75aada-a558-4461-986b-c6822182e81d + +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 + +``` + +This command lists all DataConnectors under a Microsoft Sentinel workspace. + +### Example 2: Get a specific Data Connector +```powershell +PS C:\> Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.kind -eq "Office365"} + +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 +SharePointState : enabled +``` + +This command gets a specific DataConnector based on kind \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md b/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md new file mode 100644 index 000000000000..ac2499900e2c --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md @@ -0,0 +1,39 @@ +### Example 1: Get a Domain Enrichment +```powershell +PS C:\> Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com + +Created : 5/2/1991 12:00:00 AM +Domain : microsoft.com +Expire : 5/3/2022 12:00:00 AM +Server : whois.markmonitor.com +Updated : 3/12/2021 12:00:00 AM +``` + +This command gets an enrichment for a domain. + +### Example 2: Get a IP Enrichment +```powershell +PS C:\> Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" IPAddress "1.1.1.1" + +Asn : 13335 +Carrier : cloudflare +City : ringwood +CityCf : 90 +Continent : oceania +Country : australia +CountryCf : 99 +IPAddr : 1.1.1.1 +IPRoutingType : fixed +Latitude : -37.8143 +Longitude : 145.2274 +Organization : apnic and cloudflare dns resolver project +OrganizationType : Internet Hosting Services +Region : +State : victoria +StateCf : 95 +StateCode : + +``` + +This command an enrichment for an IP Address. + diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntity.md b/src/SecurityInsights/examples/Get-AzSentinelEntity.md new file mode 100644 index 000000000000..e3632ec49683 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntity.md @@ -0,0 +1,48 @@ +### Example 1: List all Entities +```powershell +PS C:\> Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : 186.120.101.12 +Kind : Ip +Name : bb590b07-5ef5-bf85-1c3e-2a04e1e137d2 +``` + +This command lists all Entities under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity +```powershell +PS C:\> Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "8d036a2d-f37d-e936-6cca-4e172687cb79" + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity. + +### Example 3: Get a Entity by object Id +```powershell +PS C:\> $Entitys = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $Entitys[0] | Get-AzSentinelEntity + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity by object + +### Example 4: Get a Entity by kind +```powershell +PS C:\> Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Kind -eq "CloudApplication"} + +FriendlyName : Office 365 +Kind : CloudApplication +Name : 8fceb9c4-abe7-7174-aabf-f1dde96a945e +``` + +This command gets an Entity by kind \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md new file mode 100644 index 000000000000..33c6f5a81e02 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md @@ -0,0 +1,27 @@ +### Example 1: Get Insights and Activities for an Entity +```powershell +PS C:\> Get-AzSentinelEntityAcivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" + +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : HackTool:Win32/Mimikatz.gen!H +Kind : Malware +Name : 876fda24-fe06-62b7-7dca-bced167a0ca3 + +FriendlyName : 52.166.111.66 +Kind : Ip +Name : 4ebb68f3-a435-fac0-d3b6-94712d246f0a +``` + +This command gets insights and activities for an Entity. + +### Example 2: Get Insights and Activities for an Entity by Id +```powershell +PS C:\> $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "4ebb68f3-a435-fac0-d3b6-94712d246f0a" +PS C:\> $Entity | Get-AzSentinelEntityActivity + +``` + +This command gets insights and activies for an Entity by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md new file mode 100644 index 000000000000..dbfc35fca521 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md @@ -0,0 +1,30 @@ +### Example 1: Get Insights for an Entity for a given time range +```powershell +PS C:\> $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> Get-AzSentinelEntityInsight -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime + +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity for a given time range. + +### Example 2: Get Insights for an Entity by entity Id for a given time range +```powershell +PS C:\> $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" +PS C:\> $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime + +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity by object for a given time range. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..61a3877e9ef4 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md @@ -0,0 +1,55 @@ +### Example 1: List all Entity Queries +```powershell +PS C:\> Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert + +DisplayName : Related alerts +DataSource : {SecurityAlert} +Name : 055a5692-555f-42bd-ac17-923a5a9994ed +InputEntityType : Host +``` + +This command lists all Entity Queries under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query +```powershell +PS C:\> Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryId" + +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets an Entity Query. + +### Example 3: Get an Entity Query by object Id +```powershell +PS C:\> $EntityQueries = Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $EntityQueries[0] | Get-AzSentinelEntityQuery + +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets a Entity Query by object. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md new file mode 100644 index 000000000000..ecae751b34d0 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md @@ -0,0 +1,43 @@ +### Example 1: List all Entity Query Templates +```powershell +PS C:\> Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Title : The user has created an account +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa + +Title : The user has deleted an account +Description : This activity displays account deletion events performed by the user +InputEntityType : Account +Kind : Activity +Name : e0459780-ac9d-4b72-8bd4-fecf6b46a0a1 +``` + +This command lists all Entity Query Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query Template +```powershell +PS C:\> Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "d6d08c94-455f-4ea5-8f76-fc6c0c442cfa" + +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets an Entity Query Template. + +### Example 3: Get an Entity Query Template by object Id +```powershell +PS C:\> $EntityQueryTemplates = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $EntityQueryTemplates[0] | Get-AzSentinelEntityQueryTemplate + +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets a Entity Query Template by object. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md new file mode 100644 index 000000000000..7de72875a965 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md @@ -0,0 +1,22 @@ +### Example 1: List all Entity Relations for a given Entity +```powershell +PS C:\> Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +``` + +This command lists all Entity Relations for a given Entity. + +### Example 2: Get an Entity Relation +```powershell +PS C:\> Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -Id "myEntityRelationId" +``` + +This command gets an Entity Relation for a given Entity. + +### Example 3: Get an Entity Relation by object Id +```powershell +PS C:\> $EntityRelations = Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +PS C:\> $EntityRelations[0] | Get-AzSentinelEntityRelation + +``` + +This command gets a Entity Relation by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md new file mode 100644 index 000000000000..d63a0b1c7039 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md @@ -0,0 +1,17 @@ +### Example 1: Get Timeline for an Entity for a given time range +```powershell +PS C:\> $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> Get-AzSentinelEntityTime -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime + +DisplayName : Suspicious process executed +Description : Machine logs indicate that a suspicious process often associated with attacker attempts to access credentials was running on the host. +Kind : SecurityAlert +ProductName : Azure Security Center +Severity : High +StartTimeUtc : 12/20/2021 3:04:17 PM +EndTimeUtc : 12/20/2021 3:04:17 PM +TimeGenerated : 12/20/2021 3:05:52 PM +``` + +This command gets the Timeline for an Entity for a given time range. diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncident.md b/src/SecurityInsights/examples/Get-AzSentinelIncident.md new file mode 100644 index 000000000000..d04f297f1bec --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncident.md @@ -0,0 +1,29 @@ +### Example 1: List all Incidents +```powershell +PS C:\> Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command lists all Incidents under a Microsoft Sentinel workspace. + +### Example 2: Get an Incident +```powershell +PS C:\> Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "f5409f55-7dd8-4c73-9981-4627520b2db" + +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command gets an Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md new file mode 100644 index 000000000000..635b8efdc330 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md @@ -0,0 +1,16 @@ +### Example 1: List all Alerts for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentAlert -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" + +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alerts for a given Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md new file mode 100644 index 000000000000..273ba19eb108 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md @@ -0,0 +1,15 @@ +### Example 1: List all Bookmarks for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7f40bbbc-e205-404b-bc2b-5d71cd1017a8" + +DisplayName : My 2021 Bookmark +FriendlyName : My 2021 Bookmark +Label : {my Tags} +Note : my notes + 2nd line notes +CreatedByEmail : luke@contoso.com +CreatedByName : Luke +Name : 4557d832-41f0-456f-977e-78a2e129b8d0 +``` + +This command lists all Bookmarks for a given Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..0237c0e7f8e5 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md @@ -0,0 +1,28 @@ +### Example 1: List all Incident Comments for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" + +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 + +``` + +This command lists all Incident Comments for a given Incident. + +### Example 2: Get an Incident Comment +```powershell +PS C:\> Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" -Id "da0957c9-2f1a-44a2-bc83-a2c0696b2bf1" + +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 +``` + +This command gets an Incident Comment. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md new file mode 100644 index 000000000000..cb3e17c7bd1e --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md @@ -0,0 +1,10 @@ +### Example 1: List all Entities for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "0ddb580f-efd0-4076-bb77-77e9aef8a187" + +FriendlyName : win2019 +Kind : Host +Name : cb577adf-0266-8873-84d7-accf4b45417b +``` + +This command lists all Entities for a given Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..2842c59ae3e4 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md @@ -0,0 +1,41 @@ +### Example 1: List all Incident Relations for a given Incident +```powershell +PS C:\> Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" + +Name : 8969f5ea-4e92-433a-9b67-2f9233d8113f_457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceName : 457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command lists all Incident Relations for a given Incident. + +### Example 2: Get a Incident Relation +```powershell +PS C:\> Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id "myIncidentRelationId" + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident Relation. + +### Example 3: Get a Incident Relation by object Id +```powershell +PS C:\> $Incidentrelations = Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" +PS C:\> $Incidentrelations[0] | Get-AzSentinelIncidentRelation + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelMetadata.md b/src/SecurityInsights/examples/Get-AzSentinelMetadata.md new file mode 100644 index 000000000000..093355d11d50 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelMetadata.md @@ -0,0 +1,18 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..b5a47a1aef6d --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md @@ -0,0 +1,19 @@ +### Example 1: List all Onboarding States +```powershell +PS C:\> Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command lists all Onboarding States under a Microsoft Sentinel workspace. + +### Example 2: Get an Onboarding State +```powershell +PS C:\> Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "default" + +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command gets an Onboarding State. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelSetting.md b/src/SecurityInsights/examples/Get-AzSentinelSetting.md new file mode 100644 index 000000000000..69691dbb9dc7 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelSetting.md @@ -0,0 +1,48 @@ +### Example 1: List all Settings +```powershell +PS C:\> Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Kind : EntityAnalytics +Name : EntityAnalytics +IsEnabled : True + +Kind : EyesOn +Name : EyesOn +IsEnabled : True + +Kind : IPSyncer +Name : IPSyncer + +Kind : Anomalies +Name : Anomalies +IsEnabled : True + +Kind : Ueba +Name : Ueba +DataSource : {AuditLogs, AzureActivity, SecurityEvent, SigninLogs} +``` + +This command lists all Settings under a Microsoft Sentinel workspace. + +### Example 2: Get a Setting +```powershell +PS C:\> Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName "Anomalies" + +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting. + +### Example 3: Get a Setting by object Id +```powershell +PS C:\> $Settings = Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +PS C:\> $Settings[0] | Get-AzSentinelSetting + +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelSourceControlRepository.md b/src/SecurityInsights/examples/Get-AzSentinelSourceControlRepository.md new file mode 100644 index 000000000000..093355d11d50 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelSourceControlRepository.md @@ -0,0 +1,18 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md new file mode 100644 index 000000000000..e82f5cd28033 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md @@ -0,0 +1,38 @@ +### Example 1: List all Threat Intelligence Indicators +```powershell +PS C:\> Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d +``` + +This command lists all Threat Intelligence Indicators under a Microsoft Sentinel workspace. + +### Example 2: Get a Threat Intelligence Indicator +```powershell +PS C:\> Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "514840ce-5582-f7a4-8562-7996e29dc07a" + +Kind : indicator +Name : 514840ce-5582-f7a4-8562-7996e29dc07a +``` + +This command gets a Threat Intelligence Indicator by name (Id) + +### Example 3: Get the Threat Intelligence Indicator top 3 +```powershell +PS C:\> $tiIndicators = Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Top 3 + +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d + +Kind : indicator +Name : 38ac867b-85f9-be4c-afd5-b3cffdcf69f1 +``` + +This command gets a Threat Intelligence Indicator by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md new file mode 100644 index 000000000000..b980385c61f7 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md @@ -0,0 +1,11 @@ +### Example 1: Get all metrics for Threat Intelligence Indicators +```powershell +PS C:\> Get-AzSentinelThreatIntelligenceIndicatorMetric -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + +LastUpdatedTimeUtc : 2022-02-07T10:44:45.3919348Z +PatternTypeMetric : {network-traffic, url, ipv4-addr, file} +SourceMetric : {Microsoft Emerging Threat Feed, Bing Safety Phishing URL, Azure Sentinel, CyberCrime…} +ThreatTypeMetric : {botnet, maliciousurl, phishing, malicious-activity…} +``` + +This command gets Threat Intelligence Indicator metrics. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md new file mode 100644 index 000000000000..093355d11d50 --- /dev/null +++ b/src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -0,0 +1,18 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRule.md b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md new file mode 100644 index 000000000000..6b212c8adfa8 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md @@ -0,0 +1,52 @@ +### Example 1: Create the Fusion Alert rule +```powershell +PS C:\> $AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName + +``` + +This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection" + +### Example 2: Create the ML Behavior Analytics Alert Rule +```powershell +PS C:\> $AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName + +``` + +This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" + +### Example 2: Create the Threat Intelligence Alert Rule +```powershell +PS C:\> $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName + +``` + +This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" + +### Example 3: Create a Microsoft Security Incident Creation Alert Rule +```powershell +PS C:\> $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" +PS C:\> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" + + +``` + +This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. + +### Example 4: Create a Scheduled Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 + +``` + +This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string. + +### Example 5: Create a Near Realtime Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" + +``` + +This command creates an Alert Rule of the NRT kind. Please note that that query (parameter -Query) needs to be on a single line as as string. diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..7170bd2b510f --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md @@ -0,0 +1,10 @@ +### Example 1: Add a Logic App Playbook as an action to an existing analytics rule +```powershell +PS C:\> $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +New-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) + +``` + +This command adds an existing Logic App Playbook to an existing analytics rule + diff --git a/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..e967d03ef998 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md @@ -0,0 +1,28 @@ +### Example 1: Create an Automation Rule using Run Playbook +```powershell +PS C:\> $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" +PS C:\> $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() +PS C:\> $automationRuleAction.Order = 1 +PS C:\> $automationRuleAction.ActionType = "RunPlaybook" +PS C:\> $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) +PS C:\> $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id +PS C:\> New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled + +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of Run Playbook. + +### Example 2: {{ Add title here }} +```powershell +PS C:\> $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() +PS C:\> $automationRuleAction.Order = 1 +PS C:\> $automationRuleAction.ActionType = "ModifyProperties" +PS C:\> $automationRuleAction.ActionConfigurationSeverity = "Low" +PS C:\> New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Change severity to Low" -Order 3 -TriggeringLogicIsEnabled + +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of changing the severity. + diff --git a/src/SecurityInsights/examples/New-AzSentinelBookmark.md b/src/SecurityInsights/examples/New-AzSentinelBookmark.md new file mode 100644 index 000000000000..b03366da325b --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelBookmark.md @@ -0,0 +1,15 @@ +### Example 1: Create a Bookmark +```powershell +PS C:\> $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> New-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime + +DisplayName : Incident Evidence +CreatedByName : John Contoso +CreatedByEmail : john@contoso.com +Name : 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 +Note : my notes +``` + +This command creates a Bookmark. + diff --git a/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..ce1ef55c6d2d --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md @@ -0,0 +1,8 @@ +### Example 1: Create a Bookmark Relation +```powershell +PS C:\> $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" +PS C:\> $bookmarkRelation = New-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($incident.Id) +``` + +This command creates a Bookmark Relation connecting the Incident to the Bookmark. + diff --git a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md new file mode 100644 index 000000000000..85e8f5d82515 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md @@ -0,0 +1,6 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\>New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +``` + +This command enables the Threat Intelligence data connector \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..5a7bc83c3e6a --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md @@ -0,0 +1,26 @@ +### Example 1: Create Entity Query +```powershell +PS C:\> $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" +PS C:\> New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" [-EntityQueryId ] -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) + +Title : The user has created an account +Name : 6d37a904-d199-43ff-892b-53653b784122 +Content : The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s) +Description : This activity displays account creation events performed by the user +Enabled : True +Kind : Activity +CreatedTimeUtc : 12/22/2021 11:44:34 AM +LastModifiedTimeUtc : 12/22/2021 11:47:13 AM + +``` + +This command creates an Entity Query by using a Template. + +### Example 2: Create Entity Query +```powershell +PS C:\> New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} + +``` + +This command creates an Entity Query. + diff --git a/src/SecurityInsights/examples/New-AzSentinelIncident.md b/src/SecurityInsights/examples/New-AzSentinelIncident.md new file mode 100644 index 000000000000..a1aed8e96cae --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncident.md @@ -0,0 +1,15 @@ +### Example 1: Create an Incident +```powershell +PS C:\> New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Title "NewIncident" -Description "My Description" -Severity Low -Status New + +Title : NewIncident +Description : My Description +Severity : Low +Status : New +Number : 779 +CreatedTimeUtc : 2/3/2022 7:47:03 PM +Name : c831b5a7-5644-403f-9dc3-96d651e04c6d +Url : https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/cyber-soc/providers/Microsoft.OperationalInsights/workspaces/myworkspace/providers/Microsoft.SecurityInsights/Incidents/c831b5a7-5644-403f-9dc3-96d651e04c6d +``` + +This command creates an Incident. diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..803053ddc0dd --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md @@ -0,0 +1,7 @@ +### Example 1: Create an Incident Comment +```powershell +PS C:\> New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" + +``` + +This command creates an Incident Comment. diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..3dd2bd77ad4b --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md @@ -0,0 +1,13 @@ +### Example 1: Create a Incident Relation +```powershell +PS C:\> $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" +PS C:\> New-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) + +Name : 4b112bd9-a6b5-44f6-b89d-8bcbf021fbdf +RelatedResourceName : a636a51c-471a-468d-89ed-d7f4b2a7a569 +RelatedResourceKind : +RelatedResourceType : Microsoft.SecurityInsights/Bookmarks +``` + +This command creates a Incident Relation connecting the Bookmark to the Incident. + diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md new file mode 100644 index 000000000000..2fdd6421636c --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md @@ -0,0 +1,14 @@ +### Example 1: Create an Incident Teams Room +```powershell +PS C:\> $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" +PS C:\> New-AzSentinelIncidentTeam -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId ($incident.Name) -TeamName ("Incident "+$incident.incidentNumber+": "+$incident.title) + +Description : +Name : Incident : NewIncident3 +PrimaryChannelUrl : https://teams.microsoft.com/l/team/19:vYoGjeGlZmTEDmu0gTbrk9T_eDS4pKIkEU7UuM1IyZk1%40thread.tacv2/conversations?groupId=3c637cc5-caf1-46c7-93ac-069c6 + 4b05395&tenantId=8f21ced5-2eff-4f8d-aff1-4dbb4cee8e3d +TeamCreationTimeUtc : 2/4/2022 3:02:03 PM +TeamId : 3c637cc5-caf1-46c7-93ac-069c64b05395 +``` + +This command creates a Teams group for the Incident. diff --git a/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..4634dcacc9b2 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md @@ -0,0 +1,7 @@ +### Example 1: Add Sentinel onboarding state +```powershell +PS C:\>AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" + +``` + +This command configures the onboarding state of Sentinel \ No newline at end of file diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md new file mode 100644 index 000000000000..ce262ad533d7 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md @@ -0,0 +1,7 @@ +### Example 1: Remove an alert rule +```powershell +PS C:\>Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 4a21e485-75ae-48b3-a7b9-e6a92bcfe434 + +``` + +The command removes a Sentinel alert rule diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..0afb701a5aec --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md @@ -0,0 +1,7 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\>Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 + +``` + +This command removes an alert rule action. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..86cd4f758be8 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md @@ -0,0 +1,8 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\>Remove-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 + +``` + +This command removes a Sentinel automation rule + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md b/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md new file mode 100644 index 000000000000..9c15cb2ea2e9 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md @@ -0,0 +1,9 @@ +### Example 1: Remove a Sentinel Bookmark +```powershell +PS C:\>Remove-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id + +``` + +This command removes a bookmark + + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..946588eeb577 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md @@ -0,0 +1,8 @@ +### Example 1: Remove a bookmark relation +```powershell +PS C:\> Remove-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 83846045-d8dc-4d6b-abbe-7588219c474e -RelationName 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 + +``` + +This command removes a bookmarkrelation + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md new file mode 100644 index 000000000000..998203816be3 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md @@ -0,0 +1,8 @@ +### Example 1: Removes Sentinel Data Connector +```powershell +PS C:\>Remove-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 661b961f-53d8-4bd1-be97-24e808fd04f5 + +``` + +This command removes a data connector. + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..2afe5fed5954 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md @@ -0,0 +1,17 @@ +### Example 1: Remove Entity Query +```powershell +PS C:\> Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" + +``` + +This command removes a specific entity query based on the entity query Id + +### Example 2: Remove an Entity Query based on the title +```powershell +PS C:\> $queryTemplateId = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Title -eq "The user has created an account"} +Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id $queryTemplateId.Name + +``` + +This command removes a specific entity query based on the title + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncident.md b/src/SecurityInsights/examples/Remove-AzSentinelIncident.md new file mode 100644 index 000000000000..a02c78f2ae95 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncident.md @@ -0,0 +1,16 @@ +### Example 1: Removes an incident based on the incident Id +```powershell +PS C:\>Remove-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id + +``` + +This command removes an incident based on the incident id. + +### Example 2: Removes an incident based on the incident number +```powershell +PS C:\>$myIncident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id | Where-Object {$_.Number -eq "780"} + +``` + +The command removes an incident based on an incident number. + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..64a4f9838c38 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md @@ -0,0 +1,8 @@ +### Example 1: Remove an incident comment +```powershell +PS C:\>Remove-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 7a4c27ea-d61a-496b-b5c3-246770c857c1 + +This command removes an incident comment +``` + + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..f7728ec02720 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -0,0 +1,7 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\>Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelationName 7a4c27ea-d61a-496b-b5c3-246770c857c1 + +``` + +This command removes the incident relation diff --git a/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..dc82cbddd71b --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md @@ -0,0 +1,7 @@ +### Example 1: Remove the Sentinel onboarding state +```powershell +PS C:\>Remove-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" + +``` + +This commands removes the Sentinel onboarding state diff --git a/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md new file mode 100644 index 000000000000..6ee1a83db970 --- /dev/null +++ b/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md @@ -0,0 +1,22 @@ +### Example 1: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md new file mode 100644 index 000000000000..972aee3839f4 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md @@ -0,0 +1,8 @@ +### Example 1: Update an scheduled alert rule +```powershell +PS C:\>Update-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -ruleId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Query "SecurityAlert | take 2" + +``` + +This command updates a scheduled alert rule + diff --git a/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..0ef3086e8636 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md @@ -0,0 +1,9 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\>$LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +PS C:\>$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +PS C:\>Update-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) + +``` + +This command updates an alert rule action diff --git a/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..f13660ac64fd --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md @@ -0,0 +1,14 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\> $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" +PS C:\> $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() +PS C:\> $automationRuleAction.Order = 1 +PS C:\> $automationRuleAction.ActionType = "RunPlaybook" +PS C:\> $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) +PS C:\> $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id +PS C:\> Update-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled + + +``` +This command updates an automation rule + diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmark.md b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md new file mode 100644 index 000000000000..26c3a0be0f52 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md @@ -0,0 +1,10 @@ +### Example 1: Update Sentinel Bookmark +```powershell +PS C:\> $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" +PS C:\> Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime + +This command updates a bookmark +``` + + diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..8ad138d78b23 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md @@ -0,0 +1,8 @@ +### Example 1: Update a Bookmark relation +```powershell +PS C:\>Update-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 -RelationName f185b6f8-1a0d-43eb-97de-67720839ac67 -RelatedResourceId f185b6f8-1a0d-43eb-97de-67720839ac67 + +``` + +This command updates a bookmark relation + diff --git a/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md new file mode 100644 index 000000000000..ff13e22d8fb5 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md @@ -0,0 +1,8 @@ +### Example 1: Update a Sentinel data connector +```powershell +PS C:\>Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" + +``` + +This command updates a Sentinel data connector + diff --git a/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..093355d11d50 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md @@ -0,0 +1,18 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncident.md b/src/SecurityInsights/examples/Update-AzSentinelIncident.md new file mode 100644 index 000000000000..093355d11d50 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelIncident.md @@ -0,0 +1,18 @@ +### Example 1: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +PS C:\> {{ Add code here }} + +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..9828030b534d --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md @@ -0,0 +1,8 @@ +### Example 1: Update incident comment +```powershell +PS C:\>Update-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 8bb5c1eb-a3a9-4575-9451-cd2834be0e0a -Message "my comment" + +``` + +This command updates an incident comment + diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..e2cd2acee361 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md @@ -0,0 +1,10 @@ +### Example 1: Update an incident relation +```powershell +PS C:\> $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" +PS C:\> Update-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) + +``` + +This command updates an incident relation + + diff --git a/src/SecurityInsights/examples/Update-AzSentinelSetting.md b/src/SecurityInsights/examples/Update-AzSentinelSetting.md new file mode 100644 index 000000000000..04a56274792a --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelSetting.md @@ -0,0 +1,9 @@ +### Example 1: Update the Anomalies setting +```powershell +PS C:\> Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled + +``` + +This command updates the Anomalies setting, other settings are: +EyesOn, EntityAnalytics and Ueba + diff --git a/src/SecurityInsights/how-to.md b/src/SecurityInsights/how-to.md new file mode 100644 index 000000000000..8feee0fe3fad --- /dev/null +++ b/src/SecurityInsights/how-to.md @@ -0,0 +1,58 @@ +# How-To +This document describes how to develop for `Az.SecurityInsights`. + +## Building `Az.SecurityInsights` +To build, run the `build-module.ps1` at the root of the module directory. This will generate the proxy script cmdlets that are the cmdlets being exported by this module. After the build completes, the proxy script cmdlets will be output to the `exports` folder. To read more about the proxy script cmdlets, look at the [README.md](exports/README.md) in the `exports` folder. + +## Creating custom cmdlets +To add cmdlets that were not generated by the REST specification, use the `custom` folder. This folder allows you to add handwritten `.ps1` and `.cs` files. Currently, we support using `.ps1` scripts as new cmdlets or as additional low-level variants (via `ParameterSet`), and `.cs` files as low-level (variants) cmdlets that the exported script cmdlets call. We do not support exporting any `.cs` (dll) cmdlets directly. To read more about custom cmdlets, look at the [README.md](custom/README.md) in the `custom` folder. + +## Generating documentation +To generate documentation, the process is now integrated into the `build-module.ps1` script. If you don't want to run this process as part of `build-module.ps1`, you can provide the `-NoDocs` switch. If you want to run documentation generation after the build process, you may still run the `generate-help.ps1` script. Overall, the process will look at the documentation comments in the generated and custom cmdlets and types, and create `.md` files into the `docs` folder. Additionally, this pulls in any examples from the `examples` folder and adds them to the generated help markdown documents. To read more about examples, look at the [README.md](examples/README.md) in the `examples` folder. To read more about documentation, look at the [README.md](docs/README.md) in the `docs` folder. + +## Testing `Az.SecurityInsights` +To test the cmdlets, we use [Pester](https://github.com/pester/Pester). Tests scripts (`.ps1`) should be added to the `test` folder. To execute the Pester tests, run the `test-module.ps1` script. This will run all tests in `playback` mode within the `test` folder. To read more about testing cmdlets, look at the [README.md](examples/README.md) in the `examples` folder. + +## Packing `Az.SecurityInsights` +To pack `Az.SecurityInsights` for distribution, run the `pack-module.ps1` script. This will take the contents of multiple directories and certain root-folder files to create a `.nupkg`. The structure of the `.nupkg` is created so it can be loaded part of a [PSRepository](https://docs.microsoft.com/powershell/module/powershellget/register-psrepository). Additionally, this package is in a format for distribution to the [PSGallery](https://www.powershellgallery.com/). For signing an Azure module, please contact the [Azure PowerShell](https://github.com/Azure/azure-powershell) team. + +## Module Script Details +There are multiple scripts created for performing different actions for developing `Az.SecurityInsights`. +- `build-module.ps1` + - Builds the module DLL (`./bin/Az.SecurityInsights.private.dll`), creates the exported cmdlets and documentation, generates custom cmdlet test stubs and exported cmdlet example stubs, and updates `./Az.SecurityInsights.psd1` with Azure profile information. + - **Parameters**: [`Switch` parameters] + - `-Run`: After building, creates an isolated PowerShell session and loads `Az.SecurityInsights`. + - `-Test`: After building, runs the `Pester` tests defined in the `test` folder. + - `-Docs`: After building, generates the Markdown documents for the modules into the `docs` folder. + - `-Pack`: After building, packages the module into a `.nupkg`. + - `-Code`: After building, opens a VSCode window with the module's directory and runs (see `-Run`) the module. + - `-Release`: Builds the module in `Release` configuration (as opposed to `Debug` configuration). + - `-NoDocs`: Supresses writing the documentation markdown files as part of the cmdlet exporting process. + - `-Debugger`: Used when attaching the debugger in Visual Studio to the PowerShell session, and running the build process without recompiling the DLL. This suppresses running the script as an isolated process. +- `run-module.ps1` + - Creates an isolated PowerShell session and loads `Az.SecurityInsights` into the session. + - Same as `-Run` in `build-module.ps1`. + - **Parameters**: [`Switch` parameters] + - `-Code`: Opens a VSCode window with the module's directory. + - Same as `-Code` in `build-module.ps1`. +- `generate-help.ps1` + - Generates the Markdown documents for the modules into the `docs` folder. + - Same as `-Docs` in `build-module.ps1`. +- `test-module.ps1` + - Runs the `Pester` tests defined in the `test` folder. + - Same as `-Test` in `build-module.ps1`. +- `pack-module.ps1` + - Packages the module into a `.nupkg` for distribution. + - Same as `-Pack` in `build-module.ps1`. +- `generate-help.ps1` + - Generates the Markdown documents for the modules into the `docs` folder. + - Same as `-Docs` in `build-module.ps1`. + - This process is now integrated into `build-module.ps1` automatically. To disable, use `-NoDocs` when running `build-module.ps1`. +- `export-surface.ps1` + - Generates Markdown documents for both the cmdlet surface and the model (class) surface of the module. + - These files are placed into the `resources` folder. + - Used for investigating the surface of your module. These are *not* documentation for distribution. +- `check-dependencies.ps1` + - Used in `run-module.ps1` and `test-module.ps1` to verify dependent modules are available to run those tasks. + - It will download local (within the module's directory structure) versions of those modules as needed. + - This script *does not* need to be ran by-hand. \ No newline at end of file diff --git a/src/SecurityInsights/license.txt b/src/SecurityInsights/license.txt new file mode 100644 index 000000000000..b9f3180fb9af --- /dev/null +++ b/src/SecurityInsights/license.txt @@ -0,0 +1,227 @@ +MICROSOFT SOFTWARE LICENSE TERMS + +MICROSOFT AZURE POWERSHELL + +These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. + +BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. + + +-----------------START OF LICENSE-------------------------- + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +-------------------END OF LICENSE------------------------------------------ + + +----------------START OF THIRD PARTY NOTICE-------------------------------- + + +The software includes the AutoMapper library ("AutoMapper"). The MIT License set out below is provided for informational purposes only. It is not the license that governs any part of the software. + +Provided for Informational Purposes Only + +AutoMapper + +The MIT License (MIT) +Copyright (c) 2010 Jimmy Bogard + + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + + + + + +*************** + +The software includes Newtonsoft.Json. The MIT License set out below is provided for informational purposes only. It is not the license that governs any part of the software. + +Newtonsoft.Json + +The MIT License (MIT) +Copyright (c) 2007 James Newton-King +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +-------------END OF THIRD PARTY NOTICE---------------------------------------- + diff --git a/src/SecurityInsights/readme.md b/src/SecurityInsights/readme.md new file mode 100644 index 000000000000..3a0f11ad2e5d --- /dev/null +++ b/src/SecurityInsights/readme.md @@ -0,0 +1,342 @@ + +# Az.SecurityInsights +This directory contains the PowerShell module for the SecurityInsights service. + +--- +## Status +[![Az.SecurityInsights](https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights "Az.SecurityInsights")](https://www.powershellgallery.com/packages/Az.SecurityInsights/) + +## Info +- Modifiable: yes +- Generated: all +- Committed: yes +- Packaged: yes + +--- +## Detail +This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension. + +## Module Requirements +- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.7.5 or greater + +## Authentication +AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent. + +## Development +For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md). + + +--- +## Generation Requirements +Use of the beta version of `autorest.powershell` generator requires the following: +- [NodeJS LTS](https://nodejs.org) (10.15.x LTS preferred) + - **Note**: It *will not work* with Node < 10.x. Using 11.x builds may cause issues as they may introduce instability or breaking changes. +> If you want an easy way to install and update Node, [NVS - Node Version Switcher](../nodejs/installing-via-nvs.md) or [NVM - Node Version Manager](../nodejs/installing-via-nvm.md) is recommended. +- [AutoRest](https://aka.ms/autorest) v3 beta
`npm install -g autorest@autorest`
  +- PowerShell 6.0 or greater + - If you don't have it installed, you can use the cross-platform npm package
`npm install -g pwsh`
  +- .NET Core SDK 2.0 or greater + - If you don't have it installed, you can use the cross-platform npm package
`npm install -g dotnet-sdk-2.2`
  + +## Run Generation +In this directory, run AutoRest: +> `autorest` + +--- +### AutoRest Configuration +> see https://aka.ms/autorest + +``` yaml +require: + - $(this-folder)/../readme.azure.noprofile.md +# lock the commit +branch: 59eb5a7f1d09d0be2b80b8497785ffa2d784b5b6 + +input-file: + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AutomationRules.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Bookmarks.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Enrichment.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Entities.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/EntityQueries.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/EntityQueryTemplates.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Incidents.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Metadata.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/OfficeConsents.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/OnboardingStates.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Settings.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/SourceControls.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/ThreatIntelligence.json + #- https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Watchlists.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json + - https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/operations.json + +module-version: 1.2.0 +title: SecurityInsights +subject-prefix: Sentinel + +inlining-threshold: 50 + +directive: + # Fixes/overrides to swaggers + # Fix to x-ms-enum when integer (https://github.com/Azure/autorest.powershell/issues/856) + - from: dataConnectors.json + where: $.definitions.Availability.properties.status + transform: >- + return { + "description": "The connector Availability Status", + "format": "int32", + "type": "integer", + "enum": [ + 1 + ] + } + # Customize + # Hide Operation API + - where: + subject: Operation + hide: true + # Hide OfficeConsent API + - where: + subject: OfficeConsent + hide: true + # Fix Action to be AlertRuleAction + - where: + subject: Action + set: + subject: AlertRuleAction + # Change Sets to Updates to match current module + - where: + verb: Set + set: + verb: Update + # fix subject name to encrichment + - where: + subject: DomainWhois + set: + subject: Enrichment + - where: + subject: IPGeodata + set: + subject: Enrichment + # Shorten to just Setting + - where: + subject: ProductSetting + set: + subject: Setting + # Fix subject Names + - where: + subject: EntitiesGetTimeline + set: + subject: EntityTimeline + - where: + subject: EntitiesRelation + set: + subject: EntityRelation + - where: + subject: QueryThreatIntelligenceIndicator + set: + subject: ThreatIntelligenceIndicatorQuery + # Change invoke as this is more a Get operation + - where: + verb: Invoke + subject: QueryEntity + set: + verb: Get + subject: EntityActivity + # Fix Update ThreatIntelligenceIndicator + - select: command + where: + verb: New + subject: ThreatIntelligenceIndicator + variant: CreateExpanded1 + set: + verb: Update + variant: UpdateExpanded + - select: command + where: + verb: New + subject: ThreatIntelligenceIndicator + variant: CreateViaIdentity1 + set: + verb: Update + variant: UpdateViaIdentity + - select: command + where: + verb: New + subject: ThreatIntelligenceIndicator + variant: CreateViaIdentityExpanded1 + set: + verb: Update + variant: UpdateViaIdentityExpanded + - where: + subject: ThreatIntelligenceIndicatorQuery + variant: QueryViaIdentityExpanded + remove: true + # Fix Entity Insights + - where: + subject: EntityInsight + variant: ^Get$|^GetViaIdentity$ + remove: true + # Fix Entity TimeLime + - where: + subject: EntityTimeline + variant: List + remove: true + # Rename Id for user expierence + - where: + subject: AlertRuleAction + parameter-name: Id + set: + alias: ActionId + - where: + subject: AlertRuleTemplate + parameter-name: Id + set: + alias: TemplateId + - where: + subject: AutomationRule + parameter-name: Id + set: + alias: AutomationRuleId + - where: + subject: Bookmark + parameter-name: Id + set: + alias: BookmarkId + - where: + subject: DataConnector + parameter-name: Id + set: + alias: DataConnectorId + - where: + subject: Entity + parameter-name: Id + set: + alias: EntityId + - where: + subject: Incident + parameter-name: Id + set: + alias: IncidentId + - where: + subject: IncidentComment + parameter-name: Id + set: + alias: IncidentCommentId + #Remove Enrichment + - where: + subject: ^Enrichment$ + variant: ^GetViaIdenity$|^GetViaIdenity1$ + remove: true + # Remove source control (requires OAUTH tokens) + - where: + subject: SourceControl + remove: true + #Custom Built Commands + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + hide: true + - where: + subject: ^AlertRule$|^DataConnector$|^EntityQuery$ + variant: ^Create$|^CreateExpanded$|^Update$|^UpdateExpanded$|^UpdateViaIdentity$|^UpdateViaIdentityExpanded$ + hide: true + - where: + verb: ^Update$|^Remove$ + subject: Setting + hide: true + # Hide Etag as it isnt used + - where: + parameter-name: Etag + hide: true + # TI API not useful until API changes + - where: + verb: ^Add$|^New$|^Update$|^Remove$ + subject: ThreatIntelligenceIndicator + hide: true + - where: + verb: ^Add$|^New$|^Update$|^Remove$ + subject: ThreatIntelligenceIndicatorTag + hide: true + # CCP + - where: + verb: ^Connect$|^Disconnect$ + subject: DataConnector + hide: true + # cmdlet review feedback + - where: + subject: Bookmark + parameter-name: Created|^CreatedByObjectId&|^Updated$|^UpdatedByObjectId$ + hide: true + - where: + subject: DataConnector + parameter-name: SQSURLs + set: + parameter-name: SQSURL + - where: + subject: DataConnector + parameter-name: CommonDataServiceActivities + set: + parameter-name: CommonDataServiceActivity + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + set: + verb: Test + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + set: + subject: DataConnectorCheckRequirement + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + parameter-name: DataConnectorsCheckRequirement + set: + parameter-name: DataConnectorCheckRequirement + - where: + verb: New + subject: AlertRuleAction + variant: Create + hide: true + - where: + verb: New + subject: ^AlertRuleAction$|^AutomationRule$|^Bookmark$|^Incident$|^IncidentComment$| + parameter-name: Id + hide: true + set: + default: + script: '(New-Guid).Guid' + - where: + verb: New + subject: ^BookmarkRelation$|^IncidentRelation$ + parameter-name: RelationName + hide: true + set: + default: + script: '(New-Guid).Guid' + # Hide Expand + - where: + verb: Expand + subject: ^Bookmark$|^Entity$ + hide: true + - where: + verb: ^New$|^Update$|^Remove$ + subject: Metadata + hide: true + # Hide UpdateViaId and Update + - where: + variant: ^Update$|^UpdateViaIdentity$ + hide: true + # Remove the unexpanded parameter set + - where: + variant: ^Append$|^AppendViaIdentity$|^Connect$|^ConnectViaIdentity$|^CreateViaIdentity$|^CreateViaIdentityExpanded$|^Expand$|^ExpandViaIdentity$|^ExpandViaIdentityExpanded$|^GetViaIdentityExpanded$|^PostViaIdentity$|^Query$|^QueryViaIdentity$|^QueriesViaIdentity$|^Replace$|^ReplaceViaIdentity$ + remove: true + # fix Equals that conflicts with inhertied property + - where: + enum-name: AutomationRulePropertyConditionSupportedOperator + enum-value-name: Equals + set: + enum-value-name: Equal +``` diff --git a/src/SecurityInsights/resources/README.md b/src/SecurityInsights/resources/README.md new file mode 100644 index 000000000000..736492341e3d --- /dev/null +++ b/src/SecurityInsights/resources/README.md @@ -0,0 +1,11 @@ +# Resources +This directory can contain any additional resources for module that are not required at runtime. This directory **does not** get packaged with the module. If you have assets for custom implementation, place them into the `../custom` folder. + +## Info +- Modifiable: yes +- Generated: no +- Committed: yes +- Packaged: no + +## Purpose +Use this folder to put anything you want to keep around as part of the repository for the module, but is not something that is required for the module. For example, development files, packaged builds, or additional information. This is only intended to be used in repositories where the module's output directory is cleaned, but tangential resources for the module want to remain intact. \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..34f71061a2f9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "159" ], + "x-ms-client-request-id": [ "c050c818-9f97-4df8-bc11-94c349ef9d53" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11999" ], + "x-ms-request-id": [ "51617cd1-21bb-4178-81ff-968264f8fe83" ], + "x-ms-correlation-request-id": [ "51617cd1-21bb-4178-81ff-968264f8fe83" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015317Z:51617cd1-21bb-4178-81ff-968264f8fe83" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "131519" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"9100268d-0000-0100-0000-61b54cad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:17.5992035Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"etag\":\"\\\"9100888d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"anomalyVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.6683082Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"etag\":\"\\\"91008e8d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7261046Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"etag\":\"\\\"9100908d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7217187Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"etag\":\"\\\"9100938d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7605576Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"etag\":\"\\\"9100958d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9281318Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"etag\":\"\\\"9100968d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"anomalyVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9489601Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"etag\":\"\\\"9100978d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9145159Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"etag\":\"\\\"9100a08d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"anomalyVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0864049Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"etag\":\"\\\"9100a18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0949212Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"etag\":\"\\\"9100a28d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0380076Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"etag\":\"\\\"9100a48d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.1472644Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"etag\":\"\\\"9100a68d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"anomalyVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.2701652Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"etag\":\"\\\"9100af8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3780064Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"etag\":\"\\\"9100b18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3413051Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"etag\":\"\\\"9100b78d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3502544Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"etag\":\"\\\"9100b88d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.4401824Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"etag\":\"\\\"9100c28d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1059\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Execution\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.5726126Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"etag\":\"\\\"9100c38d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.5819245Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"etag\":\"\\\"9100c78d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"edc946ae-cba8-419f-8e90-309966895956\",\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.6281053Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"etag\":\"\\\"9100ca8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.6801578Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"etag\":\"\\\"9100cf8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.7739836Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"etag\":\"\\\"9100d18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.7773051Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"etag\":\"\\\"9100d38d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"anomalyVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.8501491Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"etag\":\"\\\"9100d58d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"anomalyVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.8726705Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"etag\":\"\\\"9100d88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.9421482Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"etag\":\"\\\"9100d98d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.9788898Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"etag\":\"\\\"9100e38d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"anomalyVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.0605927Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"etag\":\"\\\"9100e48d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"anomalyVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.0796649Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"etag\":\"\\\"9100e68d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.1203371Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"etag\":\"\\\"9100e88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.1708984Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"etag\":\"\\\"9100ef8d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1133\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.2702628Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"etag\":\"\\\"9100f18d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.3165847Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"etag\":\"\\\"9100f28d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.2947893Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"etag\":\"\\\"9100f88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.4044454Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"etag\":\"\\\"9100fa8d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.4553897Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"etag\":\"\\\"9100018e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.549869Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"etag\":\"\\\"91000a8e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.6349232Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"etag\":\"\\\"91000f8e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Discovery\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.6459974Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"etag\":\"\\\"9100158e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"anomalyVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.7701239Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"etag\":\"\\\"91001c8e-0000-0100-0000-61b54cb30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.9059365Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/02874339-f9a1-4ced-bdaf-44b3d8eb57a6\",\"name\":\"02874339-f9a1-4ced-bdaf-44b3d8eb57a6\",\"etag\":\"\\\"910061fe-0000-0100-0000-61b54f190000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:23:36.39834Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\",\"name\":\"10a698ca-8310-4b90-a86e-2f43fe285e56\",\"etag\":\"\\\"91006cfe-0000-0100-0000-61b54f190000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2021-12-12T01:23:36.1386167Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/af03fc0e-d33f-447a-8397-d60726aa92c5\",\"name\":\"af03fc0e-d33f-447a-8397-d60726aa92c5\",\"etag\":\"\\\"9100d4fe-0000-0100-0000-61b54f1b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2021-12-12T01:23:36.2680673Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"name\":\"fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"etag\":\"\\\"92006710-0000-0100-0000-61b54f790000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRulesuagz6\",\"enabled\":true,\"description\":\"RemoveAlertRulesuagz6 fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:11.212957Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"name\":\"952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"etag\":\"\\\"9200b415-0000-0100-0000-61b54f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule62imtb\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule62imtb 952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:42.5246541Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf\",\"name\":\"98981b11-0c0a-40bb-adc9-63f3693592bf\",\"etag\":\"\\\"9200241b-0000-0100-0000-61b54fb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulevi15sc\",\"enabled\":true,\"description\":\"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:26:13.0837645Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"name\":\"6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"etag\":\"\\\"9200dd20-0000-0100-0000-61b54fd40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRuledgk4wi\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRuledgk4wi 6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:26:44.114196Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"name\":\"453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"etag\":\"\\\"9200a026-0000-0100-0000-61b54ff30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleName1539nb\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleName1539nb 453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:27:15.28338Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6\",\"name\":\"3e459759-acb2-48cd-b091-f325a2618fb6\",\"etag\":\"\\\"9200562c-0000-0100-0000-61b550120000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamerey7av\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamerey7av 3e459759-acb2-48cd-b091-f325a2618fb6\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:27:46.3915852Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"name\":\"a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"etag\":\"\\\"9200fc31-0000-0100-0000-61b550320000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNamea13fz8\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNamea13fz8 a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:28:18.3040106Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead\",\"name\":\"09b5716f-9b0b-4663-8302-e17b94a12ead\",\"etag\":\"\\\"9200e237-0000-0100-0000-61b550520000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleName1lirvu\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleName1lirvu 09b5716f-9b0b-4663-8302-e17b94a12ead\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:28:49.5419602Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7\",\"name\":\"a555c523-e318-4501-bfe8-b9c6da354af7\",\"etag\":\"\\\"92008e3d-0000-0100-0000-61b550710000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameymswnj\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameymswnj a555c523-e318-4501-bfe8-b9c6da354af7\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:29:20.6202232Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/34c477db-1e8e-4b5e-9fc7-ef127fbfa354\",\"name\":\"34c477db-1e8e-4b5e-9fc7-ef127fbfa354\",\"etag\":\"\\\"93003d2e-0000-0100-0000-61b555900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:12.8940733Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/dd7306f3-4a9a-4270-a174-816dd3747be0\",\"name\":\"dd7306f3-4a9a-4270-a174-816dd3747be0\",\"etag\":\"\\\"9300442e-0000-0100-0000-61b555900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:12.9239147Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/dfe9fbbf-c55e-4637-9ab6-9f9905d305ff\",\"name\":\"dfe9fbbf-c55e-4637-9ab6-9f9905d305ff\",\"etag\":\"\\\"9300492e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0054042Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b888a369-216c-4de2-a4c8-972018977325\",\"name\":\"b888a369-216c-4de2-a4c8-972018977325\",\"etag\":\"\\\"93004a2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0215473Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/17bb920a-238b-4d2c-b208-83addc14efbe\",\"name\":\"17bb920a-238b-4d2c-b208-83addc14efbe\",\"etag\":\"\\\"93004b2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.021751Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3074775a-74e8-43cd-a60a-28ff236f1e2e\",\"name\":\"3074775a-74e8-43cd-a60a-28ff236f1e2e\",\"etag\":\"\\\"93004c2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0175408Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a074a675-209d-48d5-bae8-b6c958152873\",\"name\":\"a074a675-209d-48d5-bae8-b6c958152873\",\"etag\":\"\\\"93004d2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0388622Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c3aa2c95-89ae-4417-b50f-e926a02a58a8\",\"name\":\"c3aa2c95-89ae-4417-b50f-e926a02a58a8\",\"etag\":\"\\\"93004e2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0351918Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/946778f9-52a0-414d-9453-fc3645ceca6f\",\"name\":\"946778f9-52a0-414d-9453-fc3645ceca6f\",\"etag\":\"\\\"9300502e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0496088Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/07c2c80e-4c67-43fc-bce5-c8a34057f8a2\",\"name\":\"07c2c80e-4c67-43fc-bce5-c8a34057f8a2\",\"etag\":\"\\\"9300512e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0345167Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a8219a17-8d55-42af-b4de-f9f06ddb6b66\",\"name\":\"a8219a17-8d55-42af-b4de-f9f06ddb6b66\",\"etag\":\"\\\"9300522e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.017663Z\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "160" ], + "x-ms-client-request-id": [ "ad064d7e-64b9-48c0-825d-cf1d4327108a" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11998" ], + "x-ms-request-id": [ "54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "x-ms-correlation-request-id": [ "54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015317Z:54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1164" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "161" ], + "x-ms-client-request-id": [ "81026a09-75bd-4bfa-a6a8-6df0d416ebee" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11997" ], + "x-ms-request-id": [ "2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "x-ms-correlation-request-id": [ "2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015318Z:2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1164" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "162" ], + "x-ms-client-request-id": [ "d982dd2f-d791-462c-adb1-8d0efc44d1c0" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11996" ], + "x-ms-request-id": [ "7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "x-ms-correlation-request-id": [ "7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015318Z:7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1164" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..3831550ce167 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAlertRule' { + It 'List' { + $alertRules = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $alertRules.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleId + $alertRule.Name | Should -Be $env.GetAlertRuleId + } + + It 'GetViaIdentity' { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleId + $alertRuleViaId = Get-AzSentinelAlertRule -InputObject $alertRule + $alertRuleViaId.Name | Should -Be $env.GetAlertRuleId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..92fe31f567cf --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "163" ], + "x-ms-client-request-id": [ "f916e3cf-4111-4055-a8e2-bdad5cc49a84" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11995" ], + "x-ms-request-id": [ "95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "x-ms-correlation-request-id": [ "95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015339Z:95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "727" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_453b8e9c-424a-4b50-8c6d-58de856d5abf_1ce91c05-b6a4-4476-9e83-4df36d224e97/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "164" ], + "x-ms-client-request-id": [ "8e4fe198-4eff-4579-af07-a882932d6da7" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11994" ], + "x-ms-request-id": [ "a9da4e26-15f4-4849-ad47-901cc441d680" ], + "x-ms-correlation-request-id": [ "a9da4e26-15f4-4849-ad47-901cc441d680" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015339Z:a9da4e26-15f4-4849-ad47-901cc441d680" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "165" ], + "x-ms-client-request-id": [ "601a3c6b-e4b8-4b3b-861d-46725b40243f" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11993" ], + "x-ms-request-id": [ "3cef07d3-4665-4f94-82aa-102d543b3681" ], + "x-ms-correlation-request-id": [ "3cef07d3-4665-4f94-82aa-102d543b3681" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015340Z:3cef07d3-4665-4f94-82aa-102d543b3681" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:40 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "166" ], + "x-ms-client-request-id": [ "781a0ed8-5f29-4a45-a193-08596b71230a" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11992" ], + "x-ms-request-id": [ "b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "x-ms-correlation-request-id": [ "b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015340Z:b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:40 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..b10d5ae00306 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAlertRuleAction' { + It 'List' { + $alertRuleActions = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleActionRuleId + $alertRuleActions.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleActionRuleId -Id $env.GetAlertRuleActionId + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId + } + + It 'GetViaIdentity' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleActionRuleId -Id $env.GetAlertRuleActionId + $alertRuleActionviaId = Get-AzSentinelAlertRuleAction -InputObject $alertRuleAction + $alertRuleActionviaId.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json new file mode 100644 index 000000000000..104f76ac1356 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "167" ], + "x-ms-client-request-id": [ "57316fa6-441c-4908-9e85-2ec6a3a32d84" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11991" ], + "x-ms-request-id": [ "f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "x-ms-correlation-request-id": [ "f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015403Z:f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1139662" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "168" ], + "x-ms-client-request-id": [ "24437480-02f4-48bb-8768-777fee15218a" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11990" ], + "x-ms-request-id": [ "29320738-9dd0-4d68-9991-91f8e8512634" ], + "x-ms-correlation-request-id": [ "29320738-9dd0-4d68-9991-91f8e8512634" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015408Z:29320738-9dd0-4d68-9991-91f8e8512634" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:07 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1139662" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "169" ], + "x-ms-client-request-id": [ "3915ef58-6993-40fa-8056-4fe7e285a636" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11989" ], + "x-ms-request-id": [ "5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "x-ms-correlation-request-id": [ "5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015413Z:5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1139662" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "170" ], + "x-ms-client-request-id": [ "b8c53d8e-cc22-4686-86be-c4722bd12ca0" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11988" ], + "x-ms-request-id": [ "a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "x-ms-correlation-request-id": [ "a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015418Z:a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2430" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 new file mode 100644 index 000000000000..d32bae512cd4 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAlertRuleTemplate')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAlertRuleTemplate.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAlertRuleTemplate' { + It 'List' { + $alertRuleTemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $alertRuleTemplates.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $alertRuleTemplate = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | Where {$_.Kind -eq "Fusion"} + $alertRuleTemplate.Kind | Should -Be "Fusion" + } + + It 'GetViaIdentity' { + $alertRuleTemplate = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | where {$_.Kind -eq "Fusion"} + $alertRuleTemplateViaIdentity = Get-AzSentinelAlertRuleTemplate -InputObject $alertRuleTemplate + $alertRuleTemplateViaIdentity.Kind | Should -Be "Fusion" + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..30cbc5d44324 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "171" ], + "x-ms-client-request-id": [ "89eee22f-9145-4286-b477-5e07ac0c3d51" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "x-ms-correlation-request-id": [ "d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015439Z:d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "6768" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102\",\"name\":\"a3adc54b-e32d-4c80-8af2-988f5d59f102\",\"etag\":\"\\\"79001a91-0000-0100-0000-61b5512a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRule0cjsva\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:26Z\",\"createdTimeUtc\":\"2021-12-12T01:32:26Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"name\":\"37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"etag\":\"\\\"79000c93-0000-0100-0000-61b5514a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule1whyd4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:58Z\",\"createdTimeUtc\":\"2021-12-12T01:32:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"79008294-0000-0100-0000-61b551690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:33:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/61701d90-8353-4d61-b435-f9905a31142d\",\"name\":\"61701d90-8353-4d61-b435-f9905a31142d\",\"etag\":\"\\\"79002696-0000-0100-0000-61b551880000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRulezi05h4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:34:00Z\",\"createdTimeUtc\":\"2021-12-12T01:34:00Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "172" ], + "x-ms-client-request-id": [ "0e920e48-4286-4f8b-8c5b-6fce44d2b068" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "x-ms-correlation-request-id": [ "e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "173" ], + "x-ms-client-request-id": [ "2ffef0f0-16f6-4651-b9fb-dab342d27d78" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "x-ms-correlation-request-id": [ "afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "174" ], + "x-ms-client-request-id": [ "83ac92cd-0958-49e1-8e9f-389a5e155aab" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "x-ms-correlation-request-id": [ "4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..f196a48520c3 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAutomationRule' { + It 'List' { + $automationRules = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $automationRules.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $automationRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetAutomationRuleId + $automationRule.Name | Should -Be $env.GetAutomationRuleId + } + + It 'GetViaIdentity' { + $automationRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetAutomationRuleId + $automationRuleViaIdentity = Get-AzSentinelAutomationRule -InputObject $automationRule + $automationRuleViaIdentity.Name | Should -Be $env.GetAutomationRuleId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..f7ed885ded11 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "175" ], + "x-ms-client-request-id": [ "913eb8f4-b416-43b1-b3fc-75e5faabe775" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11987" ], + "x-ms-request-id": [ "435df7cf-2c49-4ca6-826f-3431e381252f" ], + "x-ms-correlation-request-id": [ "435df7cf-2c49-4ca6-826f-3431e381252f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:435df7cf-2c49-4ca6-826f-3431e381252f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "44318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/9ff7b322-3212-4574-bfad-4408206875f8\",\"name\":\"9ff7b322-3212-4574-bfad-4408206875f8\",\"etag\":\"\\\"6b02bf99-0000-0100-0000-61b551c50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmarkorux9k\",\"created\":\"2021-12-12T01:35:01.4256876+00:00\",\"updated\":\"2021-12-12T01:35:01.4256876+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/4327ac2f-6115-4602-9616-83cf991298a5\",\"name\":\"4327ac2f-6115-4602-9616-83cf991298a5\",\"etag\":\"\\\"6b02319c-0000-0100-0000-61b551e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark061i4x\",\"created\":\"2021-12-12T01:35:34.2696125+00:00\",\"updated\":\"2021-12-12T01:35:34.2696125+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b02ce9f-0000-0100-0000-61b552060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarktfriza\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T01:36:06.6776344+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e19c0b42-e8cf-4fae-8690-7d632b11beaf\",\"name\":\"e19c0b42-e8cf-4fae-8690-7d632b11beaf\",\"etag\":\"\\\"6b02e6a2-0000-0100-0000-61b552250000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmark63g7uz\",\"created\":\"2021-12-12T01:36:37.0345164+00:00\",\"updated\":\"2021-12-12T01:36:37.0345164+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/b35d430d-02ac-4025-a10e-32cd2ffbe46b\",\"name\":\"b35d430d-02ac-4025-a10e-32cd2ffbe46b\",\"etag\":\"\\\"6b02e1a5-0000-0100-0000-61b552440000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarkq42uhy\",\"created\":\"2021-12-12T01:37:08.7269486+00:00\",\"updated\":\"2021-12-12T01:37:08.7269486+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b\",\"name\":\"5df694bf-7774-49cf-a84b-282fd43a926b\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNamezks1qr\",\"created\":\"2021-12-12T01:37:40.5117261+00:00\",\"updated\":\"2021-12-12T01:37:40.5117261+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"relationName\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888\",\"name\":\"20d8a730-18a5-4a76-9420-a32e46ce5888\",\"etag\":\"\\\"6b020aad-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamepvhuk4\",\"created\":\"2021-12-12T01:38:11.2924904+00:00\",\"updated\":\"2021-12-12T01:38:11.2924904+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"relationName\":\"adad6e56-9f94-4fba-ba3b-96f4616cdf68\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4\",\"name\":\"675541b3-2ae4-4199-b3b3-59f4b6c1f5b4\",\"etag\":\"\\\"6b0254b0-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNamexlrb8u\",\"created\":\"2021-12-12T01:38:41.8962323+00:00\",\"updated\":\"2021-12-12T01:38:41.8962323+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"relationName\":\"e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27\",\"name\":\"6548e330-d18d-4690-b6fa-b5ba7f5eac27\",\"etag\":\"\\\"6b0226b3-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNamecawzes\",\"created\":\"2021-12-12T01:39:13.5533963+00:00\",\"updated\":\"2021-12-12T01:39:13.5533963+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"relationName\":\"3106728c-12de-4dad-b0c6-603a9285765e\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf\",\"name\":\"463b2e8b-17c1-48d6-94a3-7443b0ba2cbf\",\"etag\":\"\\\"6b026ab6-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkName5modef\",\"created\":\"2021-12-12T01:39:43.9875375+00:00\",\"updated\":\"2021-12-12T01:39:43.9875375+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"relationName\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"name\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"etag\":\"\\\"6b0223c7-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameib8ohc\",\"created\":\"2021-12-12T01:48:35.4604989+00:00\",\"updated\":\"2021-12-12T01:48:35.4604989+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"title\":\"GetincidentRelationIncidentNamerea364\",\"relationName\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/ee0bcd82-8a83-41c3-8f97-9502c91951ec\",\"name\":\"ee0bcd82-8a83-41c3-8f97-9502c91951ec\",\"etag\":\"\\\"6b02abc7-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkName72z1my\",\"created\":\"2021-12-12T01:49:07.7080162+00:00\",\"updated\":\"2021-12-12T01:49:07.7080162+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"relationName\":\"969e8896-2438-40e6-9455-f5fd9b30d396\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"name\":\"3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"etag\":\"\\\"6b025fc8-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkNamebtlx8k\",\"created\":\"2021-12-12T01:49:38.6183798+00:00\",\"updated\":\"2021-12-12T01:49:38.6183798+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"relationName\":\"827874ba-8b75-40d5-ad61-57fbb9594309\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/201247f4-bb20-4a3b-8e89-3609968c888f\",\"name\":\"201247f4-bb20-4a3b-8e89-3609968c888f\",\"etag\":\"\\\"6b02fac8-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkNamewqmnkf\",\"created\":\"2021-12-12T01:50:09.9581751+00:00\",\"updated\":\"2021-12-12T01:50:09.9581751+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"relationName\":\"defc1116-f142-4647-a377-6869110f6e77\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"name\":\"f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"etag\":\"\\\"6b028ec9-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkNamehd50fa\",\"created\":\"2021-12-12T01:50:40.6751074+00:00\",\"updated\":\"2021-12-12T01:50:40.6751074+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"relationName\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"severity\":\"Informational\"}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "176" ], + "x-ms-client-request-id": [ "1573c77a-d964-4b7c-87fb-64bbad1506b7" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11986" ], + "x-ms-request-id": [ "a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "x-ms-correlation-request-id": [ "a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "177" ], + "x-ms-client-request-id": [ "47087007-a3e4-469e-bb34-f20498017770" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11985" ], + "x-ms-request-id": [ "2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "x-ms-correlation-request-id": [ "2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "178" ], + "x-ms-client-request-id": [ "f3557608-69db-46dc-8c5b-6943a35806c3" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11984" ], + "x-ms-request-id": [ "6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "x-ms-correlation-request-id": [ "6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..9868eddb659f --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelBookmark' { + It 'List' { + $bookmarks = Get-AzSentinelbookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $bookmarks.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $bookmark = Get-AzSentinelbookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetbookmarkId + $bookmark.Name | Should -Be $env.GetbookmarkId + } + + It 'GetViaIdentity' { + $bookmark = Get-AzSentinelbookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetbookmarkId + $bookmarkViaIdentity = Get-AzSentinelbookmark -InputObject $bookmark + $bookmarkViaIdentity.Name | Should -Be $env.GetbookmarkId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..a12690eee6e3 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "179" ], + "x-ms-client-request-id": [ "ec3b8cab-30fa-4cc8-ab80-a8e87156cf78" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11983" ], + "x-ms-request-id": [ "94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "x-ms-correlation-request-id": [ "94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "840" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "180" ], + "x-ms-client-request-id": [ "797ffe9f-42a7-4f8e-85b6-b6139680dbc7" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11982" ], + "x-ms-request-id": [ "1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "x-ms-correlation-request-id": [ "1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "181" ], + "x-ms-client-request-id": [ "44689ac9-3345-4e7e-afda-2ffe63d7fb90" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11981" ], + "x-ms-request-id": [ "bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "x-ms-correlation-request-id": [ "bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "182" ], + "x-ms-client-request-id": [ "578d2294-6c45-4278-b066-4cc314dc7c98" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11980" ], + "x-ms-request-id": [ "557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "x-ms-correlation-request-id": [ "557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..617296650474 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelBookmarkRelation' { + It 'List' { + $bookmarkRelations = Get-AzSentinelbookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.GetbookmarkRelationBookmarkId + $bookmarkRelations.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $bookmarkRelation = Get-AzSentinelbookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.GetbookmarkRelationBookmarkId -RelationName $env.GetbookmarkRelationId + $bookmarkRelation.Name | Should -Be $env.GetbookmarkRelationId + } + + It 'GetViaIdentity' { + $bookmarkRelation = Get-AzSentinelbookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.GetbookmarkRelationBookmarkId -RelationName $env.GetbookmarkRelationId + $bookmarkRelationViaIdentity = Get-AzSentinelbookmarkRelation -InputObject $bookmarkRelation + $bookmarkRelationViaIdentity.Name | Should -Be $env.GetbookmarkRelationId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..595c82678ef5 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "183" ], + "x-ms-client-request-id": [ "9ca37a10-31ec-41f6-adf8-4f12db2f49a6" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11979" ], + "x-ms-request-id": [ "a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "x-ms-correlation-request-id": [ "a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015546Z:a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1122" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"b233bb7e-98ea-415f-895d-e389655250ac\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "184" ], + "x-ms-client-request-id": [ "3f28bef1-d283-4989-83dc-560e93ad206f" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11978" ], + "x-ms-request-id": [ "45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "x-ms-correlation-request-id": [ "45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015546Z:45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "530" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "185" ], + "x-ms-client-request-id": [ "f0b9c309-c273-44b3-81df-88c1e8add32c" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11977" ], + "x-ms-request-id": [ "d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "x-ms-correlation-request-id": [ "d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015547Z:d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "530" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "186" ], + "x-ms-client-request-id": [ "9cf28c4c-0667-4cd3-92b8-1a38a856b836" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11976" ], + "x-ms-request-id": [ "22ba730e-db64-430e-bf46-e675d9070622" ], + "x-ms-correlation-request-id": [ "22ba730e-db64-430e-bf46-e675d9070622" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015547Z:22ba730e-db64-430e-bf46-e675d9070622" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "530" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..5d623a9bf492 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelDataConnector' { + It 'List' { + $dataConnectors = Get-AzSentineldataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $dataConnectors.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $dataConnector = Get-AzSentineldataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.dataConnectorId + $dataConnector.Name | Should -Be $env.dataConnectorId + } + + It 'GetViaIdentity' { + $dataConnector = Get-AzSentineldataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.dataConnectorId + $dataConnectorViaIdentity = Get-AzSentineldataConnector -InputObject $dataConnector + $dataConnectorViaIdentity.Name | Should -Be $env.dataConnectorId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json new file mode 100644 index 000000000000..d8b483fa1586 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "187" ], + "x-ms-client-request-id": [ "12efe3e7-d714-40b6-84d0-5750915d645f" ], + "CommandName": [ "Get-AzSentinelEnrichment" ], + "FullCommandName": [ "Get-AzSentinelEnrichment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11975" ], + "x-ms-request-id": [ "4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "x-ms-correlation-request-id": [ "4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015608Z:4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "375" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"asn\":\"15169\",\"carrier\":\"google llc\",\"city\":\"mountain view\",\"cityCf\":80,\"continent\":\"north america\",\"country\":\"united states\",\"countryCf\":99,\"ipAddr\":\"8.8.8.8\",\"ipRoutingType\":\"fixed\",\"latitude\":\"37.38802\",\"longitude\":\"-122.07431\",\"organization\":\"google\",\"organizationType\":\"Internet Service Provider\",\"region\":\"southwest\",\"state\":\"california\",\"stateCf\":95,\"stateCode\":\"ca\"}", + "isContentBase64": false + } + }, + "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "188" ], + "x-ms-client-request-id": [ "faec6059-9760-4bf5-b8f8-830c947b9b44" ], + "CommandName": [ "Get-AzSentinelEnrichment" ], + "FullCommandName": [ "Get-AzSentinelEnrichment_Get1" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11974" ], + "x-ms-request-id": [ "8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "x-ms-correlation-request-id": [ "8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015609Z:8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1408" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00\",\"updated\":\"2019-09-09T00:00:00\",\"expires\":\"2028-09-14T00:00:00\",\"parsed_whois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuse_contact_phone\":\"12083895770\",\"abuse_contact_email\":\"abusecomplaints@markmonitor.com\",\"iana_id\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whois_server\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"name_servers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 new file mode 100644 index 000000000000..5b6cd8654e23 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEnrichment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEnrichment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEnrichment' { + It 'Get_IP' { + $IPEnrichment = Get-AzSentinelEnrichment -ResourceGroupName $env.resourceGroupName -IPAddress 8.8.8.8 + $IPEnrichment.ipAddr | Should -Be '8.8.8.8' + } + + It 'Get_Domain' { + $DomainEnrichment = Get-AzSentinelEnrichment -ResourceGroupName $env.resourceGroupName -Domain "google.com" + $DomainEnrichment.domain | Should -Be 'google.com' + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json new file mode 100644 index 000000000000..2617a84eb81d --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json @@ -0,0 +1,248 @@ +{ + "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "189" ], + "x-ms-client-request-id": [ "af05e47d-2a7c-454b-b7c7-bf35c1b686c5" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11973" ], + "x-ms-request-id": [ "b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "x-ms-correlation-request-id": [ "b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015630Z:b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "190" ], + "x-ms-client-request-id": [ "40fc19d6-790d-4129-b422-33cbfb745571" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11972" ], + "x-ms-request-id": [ "2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "x-ms-correlation-request-id": [ "2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015631Z:2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "191" ], + "x-ms-client-request-id": [ "d2959a56-b498-437a-b324-ad0289b52252" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11971" ], + "x-ms-request-id": [ "cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "x-ms-correlation-request-id": [ "cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015631Z:cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "413" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "192" ], + "x-ms-client-request-id": [ "fb1bb058-e36c-4d32-9db8-ff5f656d1037" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11970" ], + "x-ms-request-id": [ "67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "x-ms-correlation-request-id": [ "67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015632Z:67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "193" ], + "x-ms-client-request-id": [ "6e1955bd-faad-4f20-a643-5956f9ac47ff" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11969" ], + "x-ms-request-id": [ "687044df-ca03-4391-879a-195164267c13" ], + "x-ms-correlation-request-id": [ "687044df-ca03-4391-879a-195164267c13" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015632Z:687044df-ca03-4391-879a-195164267c13" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:32 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "413" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "194" ], + "x-ms-client-request-id": [ "4df17961-e010-4663-a97c-305403a5b564" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11968" ], + "x-ms-request-id": [ "0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "x-ms-correlation-request-id": [ "0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015633Z:0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:32 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "413" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 new file mode 100644 index 000000000000..803dc2377f30 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 @@ -0,0 +1,35 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntity')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntity.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntity' { + It 'List' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entities.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entity = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entities[0].Name + $entity.Name | Should -Be $entities[0].Name + } + + It 'GetViaIdentity' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entity = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entities[0].Name + $entityViaId = Get-AzSentinelentity -InputObject $entity + $entityViaId.Name | Should -Be $entities[0].Name + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json new file mode 100644 index 000000000000..1dd40543e6d3 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "195" ], + "x-ms-client-request-id": [ "3a8d1b1a-15d4-4a1d-9bc7-cbae66fc4666" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11967" ], + "x-ms-request-id": [ "519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "x-ms-correlation-request-id": [ "519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015654Z:519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:54 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "196" ], + "x-ms-client-request-id": [ "9ace68b3-6c28-4e38-8315-983d38166b5d" ], + "CommandName": [ "Get-AzSentinelEntityActivity" ], + "FullCommandName": [ "Get-AzSentinelEntityActivity_Queries" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], + "x-ms-request-id": [ "81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "x-ms-correlation-request-id": [ "81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015658Z:81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "20801" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 new file mode 100644 index 000000000000..aad19cfd008a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityActivity')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityActivity.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityActivity' { + It 'Queries' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $queries = Get-AzSentinelEntityActivity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -EntityId $entities[0].Name + $queries.Count | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json new file mode 100644 index 000000000000..1b91850f78ac --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json @@ -0,0 +1,79 @@ +{ + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "197" ], + "x-ms-client-request-id": [ "c99f59a5-31cc-4138-b561-8fe621ad89c5" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], + "x-ms-request-id": [ "4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "x-ms-correlation-request-id": [ "4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015719Z:4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:19 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2021-12-11T01:00:00.0000000+00:00\",\n \"endTime\": \"2021-12-12T01:00:00.0000000+00:00\"\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "104" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], + "x-ms-request-id": [ "0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "x-ms-correlation-request-id": [ "0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015723Z:0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1719" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 new file mode 100644 index 000000000000..02698a98536d --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityInsight')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityInsight.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityInsight' { + It 'GetExpanded' { + $startTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityInsight = Get-AzSentinelEntityInsight -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -EntityId $entities[0].Name -StartTime $startTime -EndTime $endTime + $entityInsight.MetaDataTotalCount | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..9e86177cadfe --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelEntityQuery+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "199" ], + "x-ms-client-request-id": [ "f9562eb3-7e8c-4c59-9683-f8d910ad9bb0" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], + "x-ms-request-id": [ "76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "x-ms-correlation-request-id": [ "76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015745Z:76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:44 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "163861" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"name\":\"98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){\\n SecurityAlert\\n | where SystemAlertId == v_SecurityAlert_SystemAlertId\\n | project entities = todynamic(Entities)\\n | mv-expand entities\\n | project-rename entity=entities};\\n GetAlertRelatedEntities(\u0027\u003csystemAlertId\u003e\u0027)\",\"inputFields\":[\"systemAlertId\"],\"outputEntityTypes\":[],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityAlert\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/27f76e63-c41b-480f-bb18-12ad2e011d49\",\"name\":\"27f76e63-c41b-480f-bb18-12ad2e011d49\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"\",\"inputFields\":[],\"outputEntityTypes\":[],\"dataSources\":[],\"inputEntityType\":\"HuntingBookmark\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/055a5692-555f-42bd-ac17-923a5a9994ed\",\"name\":\"055a5692-555f-42bd-ac17-923a5a9994ed\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetHostRelatedAlerts = (v_Host_HostName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027host\u0027 and entity[\u0027HostName\u0027] =~ v_Host_HostName\\n | project-away entity};\\n GetHostRelatedAlerts(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"name\":\"e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"name\":\"a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAccountRelatedAlerts = (v_Account_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027account\u0027 and entity[\u0027Name\u0027] =~ v_Account_Name\\n | project-away entity};\\n GetAccountRelatedAlerts(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/504ea455-3bf7-47ef-8555-dc747b465f99\",\"name\":\"504ea455-3bf7-47ef-8555-dc747b465f99\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"name\":\"4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAzureResourceRelatedAlerts = (v_AzureResource_ResourceId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027azure-resource\u0027 and entity[\u0027ResourceId\u0027] =~ v_AzureResource_ResourceId\\n | project-away entity};\\n GetAzureResourceRelatedAlerts(\u0027\u003cresourceId\u003e\u0027)\",\"inputFields\":[\"resourceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"AzureResource\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f74ad13a-ae93-47b9-8782-b1142b95d046\",\"name\":\"f74ad13a-ae93-47b9-8782-b1142b95d046\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetCloudApplicationRelatedAlerts = (v_CloudApplication_AppId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027cloud-application\u0027 and entity[\u0027AppId\u0027] =~ v_CloudApplication_AppId\\n | project-away entity};\\n GetCloudApplicationRelatedAlerts(\u0027\u003cappId\u003e\u0027)\",\"inputFields\":[\"appId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"CloudApplication\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/80218599-45b4-4402-95cc-86f9929dd43d\",\"name\":\"80218599-45b4-4402-95cc-86f9929dd43d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetDNSRelatedAlerts = (v_DNS_DomainName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027dns\u0027 and entity[\u0027DomainName\u0027] =~ v_DNS_DomainName\\n | project-away entity};\\n GetDNSRelatedAlerts(\u0027\u003cdomainName\u003e\u0027)\",\"inputFields\":[\"domainName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"DNS\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0f0bccef-4512-4530-a866-27056a39dcd6\",\"name\":\"0f0bccef-4512-4530-a866-27056a39dcd6\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileRelatedAlerts = (v_File_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027file\u0027 and entity[\u0027Name\u0027] =~ v_File_Name\\n | project-away entity};\\n GetFileRelatedAlerts(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"name\":\"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileHashRelatedAlerts = (v_FileHash_Value:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027filehash\u0027 and entity[\u0027Value\u0027] =~ v_FileHash_Value\\n | project-away entity};\\n GetFileHashRelatedAlerts(\u0027\u003chashValue\u003e\u0027)\",\"inputFields\":[\"hashValue\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"FileHash\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/58c1516f-b78a-4d78-9e71-77c40849c27b\",\"name\":\"58c1516f-b78a-4d78-9e71-77c40849c27b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIPRelatedAlerts = (v_IP_Address:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027ip\u0027 and entity[\u0027Address\u0027] =~ v_IP_Address\\n | project-away entity};\\n GetIPRelatedAlerts(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"name\":\"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"name\":\"b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMalwareRelatedAlerts = (v_Malware_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027malware\u0027 and entity[\u0027Name\u0027] =~ v_Malware_Name\\n | project-away entity};\\n GetMalwareRelatedAlerts(\u0027\u003cmalwareName\u003e\u0027)\",\"inputFields\":[\"malwareName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Malware\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"name\":\"63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetProcessRelatedAlerts = (v_Process_ProcessId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027process\u0027 and entity[\u0027ProcessId\u0027] =~ v_Process_ProcessId\\n | project-away entity};\\n GetProcessRelatedAlerts(\u0027\u003cprocessId\u003e\u0027)\",\"inputFields\":[\"processId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d788cd65-a7ef-448e-aa34-81185ac0e611\",\"name\":\"d788cd65-a7ef-448e-aa34-81185ac0e611\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryKeyRelatedAlerts = (v_RegistryKey_Key:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027registry-key\u0027 and entity[\u0027Key\u0027] =~ v_RegistryKey_Key\\n | project-away entity};\\n GetRegistryKeyRelatedAlerts(\u0027\u003ckey\u003e\u0027)\",\"inputFields\":[\"key\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryKey\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"name\":\"3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryValueRelatedAlerts = (v_RegistryValue_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027registry-value\u0027 and entity[\u0027Name\u0027] =~ v_RegistryValue_Name\\n | project-away entity};\\n GetRegistryValueRelatedAlerts(\u0027\u003cvalueName\u003e\u0027)\",\"inputFields\":[\"valueName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryValue\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/43c07636-6be0-4c62-8c62-9a6040a98821\",\"name\":\"43c07636-6be0-4c62-8c62-9a6040a98821\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSecurityGroupRelatedAlerts = (v_SecurityGroup_DistinguishedName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027security-group\u0027 and entity[\u0027DistinguishedName\u0027] =~ v_SecurityGroup_DistinguishedName\\n | project-away entity};\\n GetSecurityGroupRelatedAlerts(\u0027\u003cdistinguishedName\u003e\u0027)\",\"inputFields\":[\"distinguishedName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityGroup\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"name\":\"7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetURLRelatedAlerts = (v_URL_Url:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027url\u0027 and entity[\u0027Url\u0027] =~ v_URL_Url\\n | project-away entity};\\n GetURLRelatedAlerts(\u0027\u003curl\u003e\u0027)\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"name\":\"855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"name\":\"4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIoTDeviceRelatedAlerts = (v_IoTDevice_DeviceId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027 and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\n | project-away entity};\\n GetIoTDeviceRelatedAlerts(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb123681-fb7e-4684-86fd-3866df84ac2f\",\"name\":\"fb123681-fb7e-4684-86fd-3866df84ac2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Assigned IPs\",\"queryTemplate\":\"let GetIPsForHost = (v_Host_HostName:string){\\n Heartbeat\\r\\n | where Computer =~ v_Host_HostName\\r\\n | summarize arg_max(TimeGenerated, *) by ComputerIP\\r\\n };\\n GetIPsForHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"name\":\"fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Host assigned with IP\",\"queryTemplate\":\"let GetHostsForIp = (v_IP_Address:string){\\r\\n Heartbeat\\r\\n | where ComputerIP =~ v_IP_Address\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n };\\n GetHostsForIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"name\":\"0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailboxRelatedAlerts = (v_Mailbox_MailboxPrimaryAddress:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailbox\u0027 and entity[\u0027MailboxPrimaryAddress\u0027] =~ v_Mailbox_MailboxPrimaryAddress\\n | project-away entity};\\n GetMailboxRelatedAlerts(\u0027\u003cmailboxPrimaryAddress\u003e\u0027)\",\"inputFields\":[\"mailboxPrimaryAddress\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Mailbox\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"name\":\"cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailClusterRelatedAlerts = (v_MailCluster_Query:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailCluster\u0027 and entity[\u0027Query\u0027] =~ v_MailCluster_Query\\n | project-away entity};\\n GetMailClusterRelatedAlerts(\u0027\u003cquery\u003e\u0027)\",\"inputFields\":[\"query\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailCluster\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"name\":\"33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailMessageRelatedAlerts = (v_MailMessage_NetworkMessageId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailMessage\u0027 and entity[\u0027NetworkMessageId\u0027] =~ v_MailMessage_NetworkMessageId\\n | project-away entity};\\n GetMailMessageRelatedAlerts(\u0027\u003cnetworkMessageId\u003e\u0027)\",\"inputFields\":[\"networkMessageId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailMessage\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d215b047-259d-40b4-843c-4d509b013525\",\"name\":\"d215b047-259d-40b4-843c-4d509b013525\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSubmissionMailRelatedAlerts = (v_SubmissionMail_SubmissionId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027SubmissionMail\u0027 and entity[\u0027SubmissionId\u0027] =~ v_SubmissionMail_SubmissionId\\n | project-away entity};\\n GetSubmissionMailRelatedAlerts(\u0027\u003csubmissionId\u003e\u0027)\",\"inputFields\":[\"submissionId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SubmissionMail\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4c541df8-a680-4da5-96c9-74456927213f\",\"name\":\"4c541df8-a680-4da5-96c9-74456927213f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts the account failed to log in to the most\",\"queryTemplate\":\"let SuccessfulLoginEventId = 4624;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet MostFailedLogins = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_UPNSuffix = iff(Account has \u0027@\u0027, tostring(split(Account,\u0027@\u0027)[1]),\u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_NTDomain = iff(Account has \u0027\\\\\\\\\u0027, tostring(split(Account,\u0027\\\\\\\\\u0027)[0]),\u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)@?\u0027,2,Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t and\\r\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )\\r\\n\\t\\t\\t\\t\\t\\t\\t and\\r\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId), Host_Aux_FailedLoginsCount\\t= countif(EventID==FailedLoginEventId), Host_Aux_LogonTypes=make_set(LogonType)\\r\\n\\t\\t\\t\\t\\t\\t\\t by Computer, Account, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_FailedLoginsCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with Host_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer,\u0027.\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away Computer, Account, _ResourceId, SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostFailedLogins(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"ntDomain\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"name\":\"2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IPs from rare locations used by account\",\"queryTemplate\":\"let IPsFromRareLocations = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet LocationPrevalence =\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_AadUserId = toguid(UserId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)\\r\\n\\t\\t\\t\\t\\t\\t\\tor (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend FullLocation = strcat(Location,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize ConnectionCount = count() by FullLocation, UserPrincipalName, IPAddress, Account_Name, Account_UPNSuffix, Account_AadUserId;\\r\\n\\t\\t\\t\\t\\t\\t\\tLocationPrevalence\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize make_list(IPAddress), make_list(FullLocation), make_list(ConnectionCount), dcount(FullLocation), totalActivity = sum(ConnectionCount) by UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| mvexpand Location = list_FullLocation, ConnectionCount = list_ConnectionCount, IPAddress = list_IPAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Location = tostring(Location), ConnectionCount = toint(ConnectionCount), IPAddress = tostring(IPAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend percentOfActivity = 100*round(todouble(ConnectionCount)/totalActivity,4)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where percentOfActivity \u003c 10\\r\\n\\t\\t\\t\\t\\t\\t\\t| project UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId, IPAddress, Location, ConnectionCount, percentOfActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by percentOfActivity asc, ConnectionCount desc\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by percentOfActivity asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Location_Country = tostring(split(Location,\u0027|\u0027)[0]), IP_Location_Region = tostring(split(Location,\u0027|\u0027)[1]), IP_Location_City = tostring(split(Location,\u0027|\u0027)[2])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Aux_info = pack(\u0027PercentOfActivity\u0027, percentOfActivity, \u0027ConnectionCount\u0027, ConnectionCount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_UnstructuredName = UserPrincipalName, Account_Name, Account_NTDomain, Account_UPNSuffix, Account_AadUserId, IP_Address = IPAddress, IP_Location_Country, IP_Location_Region, IP_Location_City, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tIPsFromRareLocations(\u0027\u003caccountName\u003e\u0027, \u0027\u003cupnSuffix\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"aadUserId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/160c7513-f704-46b7-adf9-d9c4176a44a3\",\"name\":\"160c7513-f704-46b7-adf9-d9c4176a44a3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,\u0027@\u0027,v_Account_UPNSuffix), \\\"\\\");\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn\\r\\n\\t\\t\\t\\t\\t\\t\\t or\\r\\n\\t\\t\\t\\t\\t\\t\\t isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_UnstructuredName = DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_AppConCount desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003caccountName\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027,\u0027\u003csid\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"sid\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f89061dd-e6d6-4553-9c88-301a7360fc14\",\"name\":\"f89061dd-e6d6-4553-9c88-301a7360fc14\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this account\",\"queryTemplate\":\"let GetSysLogEventsByAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SyslogMessage has v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=tostring(ProcessID), Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsByAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"name\":\"dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created by account\",\"queryTemplate\":\"let GetServiceCreationsByAccount = (v_Account_Name:string, v_Account_NTDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Account_Name = tostring(split(UserName, \u0027\\\\\\\\\u0027)[1]), Process_Account_NTDomain = tostring(split(UserName, \u0027\\\\\\\\\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Process_Account_Name =~ p_Account_Name and Process_Account_NTDomain =~ p_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Account_info = pack(\u0027ServiceName\u0027, ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Host_Aux_StartTimeUtc = min(TimeGenerated), Process_Host_Aux_EndTimeUtc = max(TimeGenerated) by Process_Host_UnstructuredName = Computer, Process_Account_Name,\\r\\n\\t\\t\\t\\t\\t\\t\\tProcess_Account_NTDomain, Process_Account_UnstructuredName = UserName, Process_ImageFile_FullPath = ImagePath, tostring(Process_Aux_Account_info)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Host_Aux_StartTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsByAccount(\u0027\u003caccountName\u003e\u0027, \u0027\u003cntDomain\u003e\u0027)\",\"inputFields\":[\"accountName\",\"ntDomain\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/84375346-c3f0-4926-ae48-a156010c67e3\",\"name\":\"84375346-c3f0-4926-ae48-a156010c67e3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account failed logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4625\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"name\":\"7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity IPs for this account\",\"queryTemplate\":\"let GetAllIPbyAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t| where UserId contains v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPbyAccount (\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"name\":\"6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account interactive logon to new devices\",\"queryTemplate\":\"let GetNewInteractiveLogonsForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"InteractiveLogon\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetNewInteractiveLogonsForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"name\":\"b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account remote interactive logon to new devices\",\"queryTemplate\":\"let GetAllNewRemoteInteractiveLogonForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"RemoteInteractiveLogon\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewRemoteInteractiveLogonForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"name\":\"82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account access to new resources\",\"queryTemplate\":\"let GetAllNewResourceAccessForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"ResourceAccess\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = UsersInsights.AccountObjectID,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewResourceAccessForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"name\":\"18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Peers with a recent alert\",\"queryTemplate\":\"let GetUserPeersWithAlerts = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\t let Account_UPN = strcat(v_Account_Name, \u0027@\u0027,v_Account_UPNSuffix);\\r\\n\\t\\t\\t\\t\\t\\t\\t let Peers= UserPeerAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | where UserPrincipalName =~ Account_UPN or UserId =~ v_Account_AadUserId\\r\\n\\t\\t\\t\\t\\t\\t\\t | where TimeGenerated == toscalar (UserPeerAnalytics | summarize max(TimeGenerated))\\r\\n\\t\\t\\t\\t\\t\\t\\t | project PeerUserPrincipalName, PeerUserId, Rank\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend PeerUserPrincipalName=tolower(PeerUserPrincipalName)\\r\\n\\t\\t\\t\\t\\t\\t\\t | parse PeerUserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix;\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeerNames= Peers | summarize make_set_if(Account_Name, isnotempty(Account_Name));\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeerIds = Peers | summarize make_set_if(PeerUserId , isnotempty(PeerUserId));\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeersWithSecAlert=SecurityAlert\\r\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has \\\"account\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has_any (PeerNames) or Entities has_any (PeerIds)\\r\\n\\t\\t\\t\\t\\t\\t\\t | mvexpand todynamic(Entities)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parsejson(Entities).Type) ==\\\"account\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parsejson(Entities).Name) has_any (PeerNames) or tostring(parsejson(Entities).AadUserId) has_any (PeerIds)\\r\\n\\t\\t\\t\\t\\t\\t\\t | summarize Account_Aux_AlertCount = count()\\r\\n\\t\\t\\t\\t\\t\\t\\t by Account_Name=tolower(tostring(parsejson(Entities).Name))\\r\\n\\t\\t\\t\\t\\t\\t\\t , Account_UPNSuffix=tolower(tostring(parsejson(Entities).UPNSuffix));\\r\\n\\t\\t\\t\\t\\t\\t\\t PeersWithSecAlert\\r\\n\\t\\t\\t\\t\\t\\t\\t | join kind=innerunique\\r\\n\\t\\t\\t\\t\\t\\t\\t Peers\\r\\n\\t\\t\\t\\t\\t\\t\\t on Account_Name, Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Account_Name, Account_UPNSuffix, Account_Aux_AlertCount\\r\\n\\t\\t\\t\\t\\t\\t\\t };\\r\\n\\t\\t\\t\\t\\t\\t\\t GetUserPeersWithAlerts(\\\"{{Account_Name}}\\\",\\\"{{Account_UPNSuffix}}\\\", \\\"{{Account_AadUserId}}\\\")\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"UserPeerAnalytics SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"name\":\"c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts which the account logged on to\",\"queryTemplate\":\"let GetAllHostsbyAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where UserPrincipalName contains v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserDisplayName\u0027, UserDisplayName, \u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by RemoteHost , tostring(OS)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, RemoteHost, OS, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=RemoteHost, Host_OSVersion=OS, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllHostsbyAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"name\":\"81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Screenshots taken\",\"queryTemplate\":\"let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){\\r\\n\\t\\t\\t\\t\\t\\t\\t let p_Account_UPN = strcat(Account_Name,\u0027@\u0027,Account_UPNSuffix);\\r\\n\\t\\t\\t\\t\\t\\t\\t DeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType ==\u0027ScreenshotTaken\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t | where InitiatingProcessAccountUpn =~ p_Account_UPN\\r\\n\\t\\t\\t\\t\\t\\t\\t | summarize Count=count() by DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_UnstructuredName=DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostScreenshot(\u0027\u003cAccount_Name\u003e\u0027, \u0027\u003cAccount_UPNSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"name\":\"8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account successful logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4624\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"name\":\"62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts where this file was mentioned\",\"queryTemplate\":\"let GetFilesHost = (v_File_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_min_TimeGenerated desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetFilesHost(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"name\":\"4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2Host(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ec41f36e-3fbe-44e3-a09e-adf99bc87dcb\",\"name\":\"ec41f36e-3fbe-44e3-a09e-adf99bc87dcb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IoTDevice = (v_Host_HostName:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IoTDevice(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"name\":\"cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IP(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"name\":\"98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts with several failed logins immediately followed by a successful login\",\"queryTemplate\":\"let BRUTEFORCE_THRESHOLD = 10;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet SuccessfulLoginEventId = 4624;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AccountsPossibleSuccessfulBruteForce = (v_Host_HostName:string, v_Host_DnsDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_HostName=tostring(split(v_Host_HostName,\u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_DnsDomain=case (isnotempty(v_Host_DnsDomain),v_Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t ,v_Host_HostName has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,v_Host_HostName)\\r\\n\\t\\t\\t\\t\\t\\t\\t , \u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName=tostring(split(Computer,\u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_DnsDomain=iff(Computer has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,Computer) ,\\\"\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| where p_Host_HostName=~Host_HostName and (isempty(p_Host_DnsDomain) or isempty(Host_DnsDomain) or p_Host_DnsDomain=~Host_DnsDomain)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Fails = (EventID == FailedLoginEventId), Success = (EventID == SuccessfulLoginEventId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account = tolower(Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_SuccessPerMin = countif(Success), Account_Aux_FailPerMin = countif(Fails) by Account, bin(TimeGenerated, 1m)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Account_Aux_FailPerMin\\t\u003e BRUTEFORCE_THRESHOLD and Account_Aux_SuccessPerMin \u003e 0\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventData = pack(\u0027FailPerMin\u0027,Account_Aux_FailPerMin, \u0027SuccessPerMin\u0027, Account_Aux_SuccessPerMin, \u0027Time\u0027, TimeGenerated )\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Max = max(Account_Aux_FailPerMin), Account_Aux_EventsData=makeset(EventData) by Account\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Max\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Account with Account_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@.*)?$\u0027,2,Account),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_UPNSuffix = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@(.*))?$\u0027,4,Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_NTDomain, Account_UPNSuffix, Account_Aux_EventsData\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountsPossibleSuccessfulBruteForce(\u0027\u003chostName\u003e\u0027, \u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"name\":\"bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"name\":\"8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ea747f91-23f9-425a-baa8-628f30193888\",\"name\":\"ea747f91-23f9-425a-baa8-628f30193888\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this host\",\"queryTemplate\":\"let GetSysLogEventsOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"name\":\"07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Parent processes running on host\",\"queryTemplate\":\"let GetParentProcessesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ParentProcessName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027TargetAccount\u0027, TargetAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Process_Aux_info = makeset(info) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId, Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName, Process_Aux_StartTime = min_TimeGenerated, Process_Aux_EndTime= max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime asc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetParentProcessesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9d7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9d7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes on Host blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsigned = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where v_Host_HostName =~ tostring(split(DeviceName, \u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsigned(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d3393571-0533-4127-bfe1-6b1de4ab126e\",\"name\":\"d3393571-0533-4127-bfe1-6b1de4ab126e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes running on Host\",\"queryTemplate\":\"let GetActiveProcessesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(TimeGenerated), Process_Aux_EndTime=max(TimeGenerated) by Computer, Account, NewProcessName, CommandLine, ProcessId, ParentProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Computer, Account, NewProcessName, CommandLine, ProcessId, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime desc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetActiveProcessesOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"name\":\"6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created on host\",\"queryTemplate\":\"let GetServiceCreationsOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer =~ v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\tand ImagePath !has \u0027\\\\\\\\Packages\\\\\\\\Plugins\\\\\\\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\Telemetry\\\\\\\\WindowsAzureTelemetryService.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\GuestAgent\\\\\\\\WindowsAzureGuestAgent.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Service_info = pack(\u0027ServiceName\u0027, Process_Aux_ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_CreationTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Event\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3aed43db-e358-4952-a5cd-a10f00d90af4\",\"name\":\"3aed43db-e358-4952-a5cd-a10f00d90af4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User accounts created or deleted on host\",\"queryTemplate\":\"let GetAccountChangesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4720 or EventID == 4726\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer contains v_Host_HostName or WorkstationName contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027TargetAccount\u0027, TargetAccount, \u0027SubjectAccount\u0027, SubjectAccount, \u0027Activity\u0027, Activity)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_info = makeset(info) by Computer, TargetAccount\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime=min_TimeGenerated, Account_Aux_EndTime=max_TimeGenerated, Account_Host_UnstructuredName=Computer, Account_UnstructuredName=TargetAccount, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAccountChangesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"name\":\"37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts which logged onto this host and their IPs\",\"queryTemplate\":\"let GetAccountsFromHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(DeviceDetail.displayName))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteHost == tolower(v_Host_HostName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser), TrustType = tostring(DeviceDetail.trustType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_info = Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAccountsFromHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\",\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"name\":\"b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where DeviceName ==p_FullDeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse InitiatingProcessAccountUpn with Account_Name \u0027@\u0027 Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_AppConCount desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003chostName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\",\"ntDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"name\":\"b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2Host(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3d110544-328c-4c02-ad49-eabc2b69f26d\",\"name\":\"3d110544-328c-4c02-ad49-eabc2b69f26d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IoTDevice = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IoTDevice(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"name\":\"b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"name\":\"37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The least active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Count = count() by\\r\\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91\",\"name\":\"97a1d515-abf2-4231-9a35-985f9de0bb91\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The most active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Count = count() by\\r\\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/aa497951-c779-4ea2-be2a-127ea66c5fba\",\"name\":\"aa497951-c779-4ea2-be2a-127ea66c5fba\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the least amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"name\":\"73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the most amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ab597a67-352e-4914-b2e6-d64919a910a8\",\"name\":\"ab597a67-352e-4914-b2e6-d64919a910a8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the least amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t };\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"name\":\"5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the most amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/980762f8-014e-4439-8840-5f0a90285dce\",\"name\":\"980762f8-014e-4439-8840-5f0a90285dce\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Destination IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedDestIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\r\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and SourceIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by array_length(Ports), DropCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address = DestinationIP, IP_Aux_DropCount = DropCount, IP_Aux_DroppedSessionPorts = Ports\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away rn\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedDestIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/935ab312-cb52-42a5-b296-548f21786102\",\"name\":\"935ab312-cb52-42a5-b296-548f21786102\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Source IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedSourceIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\r\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and DestinationIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by IP_Aux_DropCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedSourceIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/588f5d9f-3380-4eff-9983-e61d62fdd172\",\"name\":\"588f5d9f-3380-4eff-9983-e61d62fdd172\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity accounts with this IP\",\"queryTemplate\":\"let GetAllAccountByIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllAccountByIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/801bacb0-612a-4195-a84f-7939cca63b92\",\"name\":\"801bacb0-612a-4195-a84f-7939cca63b92\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDnsEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SubType == \u0027LookupQuery\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddresses has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_IPAddresses = split(IPAddresses,\u0027,\u0027), IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_Count asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/188ff904-e3c3-4253-9326-e0190b4b7a01\",\"name\":\"188ff904-e3c3-4253-9326-e0190b4b7a01\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithIp = (v_IPAddress:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP has v_IPAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/897267e4-68e1-4827-b318-7fb055b52fc0\",\"name\":\"897267e4-68e1-4827-b318-7fb055b52fc0\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithIp = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where LocalIP has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"name\":\"fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetLeastPrevUsersbyIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };\\r\\n\\t\\t\\t\\t\\t\\t\\tGetLeastPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"name\":\"0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDnsEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SubType == \u0027LookupQuery\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddresses has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_IPAddresses = split(IPAddresses,\u0027,\u0027), IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/41146c58-ffc6-47ff-975e-f85013629dfd\",\"name\":\"41146c58-ffc6-47ff-975e-f85013629dfd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent Linux hosts with this IP\",\"queryTemplate\":\"let GetSysLogEventsWithIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where HostIP has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SeverityLevel\u0027, SeverityLevel)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"name\":\"bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetMostPrevUsersbyIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetMostPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9c7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9c7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsignedFile = (v_Process_ProcessId:int, v_Process_ImageFile:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where InitiatingProcessId == v_Process_ProcessId and InitiatingProcessFileName =~ p_Process_ImageFile_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Count=count() by FileName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 15 by Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project File_Name=FileName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsignedFile(\u0027\u003cv_Process_ProcessId\u003e\u0027,\u0027\u003cv_Process_ImageFile\u003e\u0027)\",\"inputFields\":[\"processId\",\"ImageFile\"],\"outputEntityTypes\":[\"File\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/77f9839a-1c03-49e2-803e-72b97042fc05\",\"name\":\"77f9839a-1c03-49e2-803e-72b97042fc05\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/def383f2-dff3-4f5b-9416-aca8dca39812\",\"name\":\"def383f2-dff3-4f5b-9416-aca8dca39812\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent Linux hosts with this process\",\"queryTemplate\":\"let GetSysLogEventsWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SyslogMessage\u0027, SyslogMessage)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/39df618a-684d-402d-b096-6f505a8e741e\",\"name\":\"39df618a-684d-402d-b096-6f505a8e741e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, RemoteIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, RemoteIP, IP_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"name\":\"e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"10 most recent VM configuration changes based on process\",\"queryTemplate\":\"let exclude = dynamic([\u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wuauclt.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\WindowsAzureNetAgent_\u0027,\\r\\n\\t\\t\\t\\t\\t\\t\\t\u0027:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\u0027, \u0027\\\\\\\\MpSigStub.exe\u0027,\u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\trustedinstaller.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\\\\"]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet ConfigChange = (v_Process_ImageFile:string )\\r\\n\\t\\t\\t\\t\\t\\t\\t{let Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigurationChange\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ConfigChangeType != \\\"Software\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ValueData) or isnotempty(SvcPath) or isnotempty(FileSystemPath)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and (ValueData has \\\".exe\\\" or ValueData has \\\".bat\\\" or ValueData has \\\".cmd\\\"), ValueData,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"WindowsServices\\\", SvcPath,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ((FileSystemPath has \\\".exe\\\" or FileSystemPath has \\\".bat\\\" or FileSystemPath has \\\".cmd\\\") or FileSystemPath has \u0027/\u0027), FileSystemPath,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Daemons\\\", SvcPath,\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"ProcessNotAvailable\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where not(Process has_any (exclude)) and (Process !has \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\u0027 and not(Process has_any (\u0027\\\\\\\\ngentask.exe\u0027, \u0027\\\\\\\\ngen.exe\u0027)))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where iff(Process_ImageFile_Name == \\\"\\\", false, Process has Process_ImageFile_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse FileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse PreviousFileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Changes = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Modified\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData, \\\"PreviousValueData\\\", PreviousValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"PreviousValueData\\\", PreviousValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Path\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcPreviousPath\\\", SvcPreviousPath),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Runlevels\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcRunlevels\\\", SvcRunlevels,\\\"SvcPreviousRunlevels\\\", SvcPreviousRunlevels),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"StartupType\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State StartupType\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcStartupType\\\", SvcStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPreviousPath\\\", SvcPreviousPath, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", DateCreated, \\\"DateModified\\\", DateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Modified\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"FieldsChanged\\\", FieldsChanged, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer, \\\".\\\")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTimeUtc desc};\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChange(\u0027\u003cImageFile\u003e\u0027)\",\"inputFields\":[\"ImageFile\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"ConfigurationChange\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0880a6d7-d914-40f6-91bc-150de4810e4e\",\"name\":\"0880a6d7-d914-40f6-91bc-150de4810e4e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Windows hosts with this process\",\"queryTemplate\":\"let GetHostsWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Account\u0027, Account, \u0027NewProcessName\u0027, NewProcessName, \u0027CommandLine\u0027, CommandLine)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetHostsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"name\":\"c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2Host(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/233eaf89-cbb0-461a-bc45-e0f873ad6b15\",\"name\":\"233eaf89-cbb0-461a-bc45-e0f873ad6b15\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"name\":\"f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IP(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"name\":\"1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most frequent command executions on the device\",\"queryTemplate\":\"let Process_byIoTDevice = (v_IotDevice_DeviceId:string, v_IoTDevice_IoTHub:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RawEventName =~ \u0027ProcessCreate\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AssociatedResourceId =~ parse_json(v_IoTDevice_IoTHub)[\u0027ResourceId\u0027] and DeviceId =~ v_IotDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CommandLine = tostring(parse_json(EventDetails)[\u0027CommandLine\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ProcessId = tostring(parse_json(EventDetails)[\u0027ProcessId\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ParentProcess_ProcessId = tostring(parse_json(EventDetails)[\u0027ParentProcessId\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CreationTimeUtc = TimeStamp\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize procCount = count() by Process_CommandLine, Process_ProcessId, Process_ParentProcess_ProcessId, Process_CreationTimeUtc\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Count = procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tProcess_byIoTDevice(\u0027\u003cdeviceId\u003e\u0027, \u0027\u003cIoTHub\u003e\u0027)\",\"inputFields\":[\"deviceId\",\"IoTHub\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQuery+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "200" ], + "x-ms-client-request-id": [ "02e528c7-7971-4a86-9a7f-03105bcc360f" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], + "x-ms-request-id": [ "6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "x-ms-correlation-request-id": [ "6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "201" ], + "x-ms-client-request-id": [ "ea04149a-ed83-4baf-acf8-736472c4560b" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], + "x-ms-request-id": [ "a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "x-ms-correlation-request-id": [ "a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "202" ], + "x-ms-client-request-id": [ "b6d33220-31bf-433b-a328-453bf3ad00ee" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], + "x-ms-request-id": [ "0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "x-ms-correlation-request-id": [ "0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..06c4f58f24fa --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityQuery' { + It 'List' { + $entityQueryies = Get-AzSentinelentityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryies.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $entityQuery = Get-AzSentinelentityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetentityQueryActivityId + $entityQuery.Name | Should -Be $env.GetentityQueryActivityId + } + + It 'GetViaIdentity' { + $entityQuery = Get-AzSentinelentityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetentityQueryActivityId + $entityQueryViaId = Get-AzSentinelentityQuery -InputObject $entityQuery + $entityQueryViaId.Name | Should -Be $env.GetentityQueryActivityId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json new file mode 100644 index 000000000000..81d8de3dcd35 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json @@ -0,0 +1,125 @@ +{ + "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "203" ], + "x-ms-client-request-id": [ "e0396517-e4b0-43b4-acfc-bd6083c1ae8f" ], + "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], + "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], + "x-ms-request-id": [ "a6207471-5adf-4afe-991e-fbad1946447e" ], + "x-ms-correlation-request-id": [ "a6207471-5adf-4afe-991e-fbad1946447e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015809Z:a6207471-5adf-4afe-991e-fbad1946447e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "187304" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationName}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity \\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationName contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationName == \\\"List Storage Account Keys\\\" and ActivityStatus == \\\"Succeeded\\\")\\n or OperationName == \\\"Create or Update Virtual Machine\\\" \\n or OperationName == \\\"Create Deployment\\\"\\n or OperationName == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "204" ], + "x-ms-client-request-id": [ "c806251a-84a5-4cda-96a3-9481c0232d15" ], + "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], + "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], + "x-ms-request-id": [ "1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "x-ms-correlation-request-id": [ "1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015812Z:1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:11 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "187304" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationName}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity \\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationName contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationName == \\\"List Storage Account Keys\\\" and ActivityStatus == \\\"Succeeded\\\")\\n or OperationName == \\\"Create or Update Virtual Machine\\\" \\n or OperationName == \\\"Create Deployment\\\"\\n or OperationName == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "205" ], + "x-ms-client-request-id": [ "383f2cec-54da-4e58-9428-626dea7ce23d" ], + "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], + "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], + "x-ms-request-id": [ "6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "x-ms-correlation-request-id": [ "6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015815Z:6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "3224" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 new file mode 100644 index 000000000000..3b69ea166719 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 @@ -0,0 +1,35 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityQueryTemplate')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityQueryTemplate.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityQueryTemplate' { + It 'List' { + $entityQueryTemplates = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryTemplates.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $entityQueryTemplates = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryTemplate = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entityQueryTemplates[0].Name + $entityQueryTemplate.Name | Should -Be $entityQueryTemplates[0].Name + } + + It 'GetViaIdentity' -skip { + $entityQueryTemplates = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryTemplate = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entityQueryTemplates[0].Name + $entityQueryTemplateViaId = Get-AzSentinelentityQuery -InputObject $entityQueryTemplate + $entityQueryTemplateViaId.Name | Should -Be $entityQueryTemplates[0].Name + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 new file mode 100644 index 000000000000..174637af2859 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityRelation' { + It 'List' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Get' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'GetViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json new file mode 100644 index 000000000000..4aa4103e97ae --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json @@ -0,0 +1,79 @@ +{ + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "206" ], + "x-ms-client-request-id": [ "81504883-85f8-4e9f-a467-387ece9a56a4" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], + "x-ms-request-id": [ "c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "x-ms-correlation-request-id": [ "c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015857Z:c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2021-12-11T01:00:00.0000000+00:00\",\n \"endTime\": \"2021-12-12T01:00:00.0000000+00:00\"\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "104" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], + "x-ms-request-id": [ "c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "x-ms-correlation-request-id": [ "c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015900Z:c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:59 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "152" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[],\"metaData\":{\"aggregations\":[{\"kind\":\"Activity\",\"count\":0},{\"kind\":\"Bookmark\",\"count\":0},{\"kind\":\"SecurityAlert\",\"count\":0}],\"totalCount\":0}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 new file mode 100644 index 000000000000..485cf7c87485 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityTimeline')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityTimeline.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityTimeline' { + It 'ListExpanded' { + $startTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityTimeline = Get-AzSentinelEntityTimeline -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -EntityId $entities[0].Name -startTime $startTime -EndTime $endTime + $entityTimeline | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..71b9ebd0487e --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "208" ], + "x-ms-client-request-id": [ "1618b3e6-b413-4db4-917b-bff18620916a" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], + "x-ms-request-id": [ "c541cfb6-9955-445d-adf0-05353e2da147" ], + "x-ms-correlation-request-id": [ "c541cfb6-9955-445d-adf0-05353e2da147" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:c541cfb6-9955-445d-adf0-05353e2da147" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "26515" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "209" ], + "x-ms-client-request-id": [ "09469cc9-e322-451c-bbc4-7fbc230b7978" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], + "x-ms-request-id": [ "f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "x-ms-correlation-request-id": [ "f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "210" ], + "x-ms-client-request-id": [ "ef690bf8-1fe4-4e13-8a0d-d3020df2bab3" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], + "x-ms-request-id": [ "f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "x-ms-correlation-request-id": [ "f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:21 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "211" ], + "x-ms-client-request-id": [ "cf47aa68-5549-4bbb-bed9-a700a6887532" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], + "x-ms-request-id": [ "48feafa1-bdb4-4686-897f-b966354d8091" ], + "x-ms-correlation-request-id": [ "48feafa1-bdb4-4686-897f-b966354d8091" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:48feafa1-bdb4-4686-897f-b966354d8091" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:21 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..424dd5256310 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncident' { + It 'List' { + $incidents = Get-AzSentinelincident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $incidents.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $incident = Get-AzSentinelincident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetincidentId + $incident.Name | Should -Be $env.GetincidentId + } + + It 'GetViaIdentity' { + $incident = Get-AzSentinelincident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetincidentId + $incidentviaId = Get-AzSentinelincident -InputObject $incident + $incidentviaId.Name | Should -Be $env.GetincidentId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json new file mode 100644 index 000000000000..d6ebd51b53ba --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "212" ], + "x-ms-client-request-id": [ "d30beebf-7b72-4cd3-abad-11f13e973a35" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], + "x-ms-request-id": [ "ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "x-ms-correlation-request-id": [ "ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015941Z:ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "26515" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/alerts?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/alerts?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "213" ], + "x-ms-client-request-id": [ "6e6c449f-5e47-4b23-90c3-ee86ae7891a3" ], + "CommandName": [ "Get-AzSentinelIncidentAlert" ], + "FullCommandName": [ "Get-AzSentinelIncidentAlert_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "x-ms-correlation-request-id": [ "c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015941Z:c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "10322" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"name\":\"58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:23:43.455803Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:18:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:23:43.4558068Z\",\"providerAlertId\":\"62114603-97d6-4e81-aa88-9c046bdb6ffb\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:23:43.597Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"name\":\"65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:28:40.8799388Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:23:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:53:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:28:40.8799421Z\",\"providerAlertId\":\"8abf1a2b-486b-441e-9358-50d973e0e3c2\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:28:41.081Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/936b5422-dc31-6382-a81f-1daebd2c950d\",\"name\":\"936b5422-dc31-6382-a81f-1daebd2c950d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"936b5422-dc31-6382-a81f-1daebd2c950d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:33:40.9195282Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:28:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:58:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:33:40.9195312Z\",\"providerAlertId\":\"3979b3b4-491f-4d88-bf9e-9d4c87d19ed3\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:33:41.089Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/89785dc9-8d86-e3b6-5467-cebafeab044d\",\"name\":\"89785dc9-8d86-e3b6-5467-cebafeab044d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"89785dc9-8d86-e3b6-5467-cebafeab044d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:38:41.118344Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:33:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:03:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:38:41.1183474Z\",\"providerAlertId\":\"201f798f-b46b-4c26-9c21-e24082f5cf85\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:38:41.28Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/637c5319-a9f1-b241-662f-f9b19323150a\",\"name\":\"637c5319-a9f1-b241-662f-f9b19323150a\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"637c5319-a9f1-b241-662f-f9b19323150a\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:43:46.6351857Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:38:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:08:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:43:46.6351897Z\",\"providerAlertId\":\"c8375355-483a-4815-b9ad-ef06115266f0\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:43:46.778Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"name\":\"0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:48:43.7008681Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:13:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:48:43.7008712Z\",\"providerAlertId\":\"1af2d93d-fdc2-4c5b-9232-d5f601f6ac2a\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:48:43.904Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 new file mode 100644 index 000000000000..597f3df05ae4 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentAlert')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentAlert.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentAlert' { + It 'List' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | Where {$_.Title -eq "Sign-ins from IPs that attempt sign-ins to disabled accounts"} + $incidentAlerts = Get-AzSentinelIncidentAlert -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $incident[0].Name + $incidentAlerts.Count | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json new file mode 100644 index 000000000000..c98f9b7315c2 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json @@ -0,0 +1,43 @@ +{ + "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/bookmarks?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/bookmarks?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "214" ], + "x-ms-client-request-id": [ "49eeb730-e1fd-4563-865c-2e2e149f81ca" ], + "CommandName": [ "Get-AzSentinelIncidentBookmark" ], + "FullCommandName": [ "Get-AzSentinelIncidentBookmark_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "Server": [ "Kestrel" ], + "x-ms-request-id": [ "20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "x-ms-correlation-request-id": [ "20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020003Z:20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1148" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"name\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameib8ohc\",\"created\":\"2021-12-12T01:48:35.4604989+00:00\",\"updated\":\"2021-12-12T01:48:35.4604989+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"6b0223c7-0000-0100-0000-61b554f40000\\\"\",\"EntityId\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\"},\"friendlyName\":\"GetincidentRelationBookmarkNameib8ohc\"}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 new file mode 100644 index 000000000000..ec7805e91098 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentBookmark' { + It 'List' { + $incidentBookmarks = Get-AzSentinelIncidentBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId + $incidentBookmarks.Count | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..7e19c23f469b --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "215" ], + "x-ms-client-request-id": [ "e78c0393-ce99-4aa0-853a-84fe18c3b571" ], + "CommandName": [ "Get-AzSentinelincidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "x-ms-correlation-request-id": [ "4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020024Z:4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "801" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/Comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"name\":\"1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"etag\":\"\\\"3c00dd5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment48q5k9\",\"createdTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "216" ], + "x-ms-client-request-id": [ "6302306a-1456-4455-8ef3-3fc6284ddd0c" ], + "CommandName": [ "Get-AzSentinelincidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "x-ms-correlation-request-id": [ "634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020024Z:634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "789" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/Comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"name\":\"1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"etag\":\"\\\"3c00dd5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment48q5k9\",\"createdTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..df8b2644ab85 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentComment' { + It 'List' { + $incidentComments = Get-AzSentinelincidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentCommentIncidentId + $incidentComments.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $incidentComment = Get-AzSentinelincidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentCommentIncidentId -Id $env.GetincidentCommentId + $incidentComment.Name | Should -Be $env.GetincidentCommentId + } + + It 'GetViaIdentity' -skip { + $incidentComment = Get-AzSentinelincidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentCommentIncidentId -Id $env.GetincidentCommentId + $incidentCommentViaId = Get-AzSentinelincident -InputObject $incidentComment + $incidentCommentViaId.Name | Should -Be $env.GetincidentCommentId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json new file mode 100644 index 000000000000..caabcbc362a4 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "217" ], + "x-ms-client-request-id": [ "b70ee8b3-92d6-4fca-a293-3eafc9df299b" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], + "x-ms-request-id": [ "e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "x-ms-correlation-request-id": [ "e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020046Z:e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "26515" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/entities?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "218" ], + "x-ms-client-request-id": [ "ba327d30-bb62-4d6d-8a53-18c62d38ac74" ], + "CommandName": [ "Get-AzSentinelIncidentEntity" ], + "FullCommandName": [ "Get-AzSentinelIncidentEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "x-ms-correlation-request-id": [ "6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020047Z:6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "471" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"entities\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 new file mode 100644 index 000000000000..a33c83a57d01 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentEntity')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentEntity.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentEntity' { + It 'List' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | Where {$_.Title -eq "Sign-ins from IPs that attempt sign-ins to disabled accounts"} + $incidentEntity = Get-AzSentinelIncidentEntity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $incident.Name + $incidentEntity | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..4427cd11cf34 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "219" ], + "x-ms-client-request-id": [ "543939f3-469d-45b7-94e2-442b3b121f93" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "x-ms-correlation-request-id": [ "220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020108Z:220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "840" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "220" ], + "x-ms-client-request-id": [ "d1b7e789-6b33-473d-865e-c57bbba761b7" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "x-ms-correlation-request-id": [ "6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020108Z:6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "221" ], + "x-ms-client-request-id": [ "2dc9a5c1-f9ed-4c1d-9f26-d97477d427e7" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "x-ms-correlation-request-id": [ "dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020109Z:dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "222" ], + "x-ms-client-request-id": [ "5130bf8f-1387-4aa0-9792-07f416857f49" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "x-ms-correlation-request-id": [ "ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020109Z:ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..e24c90c95f9c --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentRelation' { + It 'List' { + $incidentRelations = Get-AzSentinelincidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId + $incidentRelations.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $incidentRelation = Get-AzSentinelincidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId -RelationName $env.GetincidentRelationId + $incidentRelation.Name | Should -Be $env.GetincidentRelationId + } + + It 'GetViaIdentity' { + $incidentRelation = Get-AzSentinelincidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId -RelationName $env.GetincidentRelationId + $incidentRelationViaIdentity = Get-AzSentinelincidentRelation -InputObject $incidentRelation + $incidentRelationViaIdentity.Name | Should -Be $env.GetincidentRelationId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json new file mode 100644 index 000000000000..29cf397dd2d9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "223" ], + "x-ms-client-request-id": [ "7dd14f19-3c79-40e6-a9e1-2efdc697dc80" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], + "x-ms-request-id": [ "f6e0872f-3306-4826-a2e1-384ec749455e" ], + "x-ms-correlation-request-id": [ "f6e0872f-3306-4826-a2e1-384ec749455e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:f6e0872f-3306-4826-a2e1-384ec749455e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2675" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "224" ], + "x-ms-client-request-id": [ "12cf9fc0-accc-40b9-917d-fc64e2a26fe8" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], + "x-ms-request-id": [ "a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "x-ms-correlation-request-id": [ "a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2663" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "225" ], + "x-ms-client-request-id": [ "36630d0d-af71-425a-8b20-fa0e83c2c13d" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], + "x-ms-request-id": [ "24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "x-ms-correlation-request-id": [ "24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2663" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "226" ], + "x-ms-client-request-id": [ "498626d9-5833-4d56-8ac9-8d31747f7b08" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], + "x-ms-request-id": [ "48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "x-ms-correlation-request-id": [ "48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2663" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 new file mode 100644 index 000000000000..b167c4c20ad9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelMetadata')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelMetadata.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelMetadata' { + It 'List' { + $metadatas = Get-AzSentinelMetadata -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $metadatas.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $metadata = Get-AzSentinelMetadata -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name $env.metadataName + $metadata.Name | Should -Be $env.metadataName + } + + It 'GetViaIdentity' { + $metadata = Get-AzSentinelMetadata -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -name $env.metadataName + $metadataViaIdentity = Get-AzSentinelMetadata -InputObject $metadata + $metadataViaIdentity.Name | Should -Be $env.metadataName + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 new file mode 100644 index 000000000000..ddac0d153d4a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelOfficeConsent')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelOfficeConsent.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelOfficeConsent' { + It 'List' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Get' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'GetViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json new file mode 100644 index 000000000000..ba421bec4e80 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "227" ], + "x-ms-client-request-id": [ "f8b5c201-6908-4a89-9cdb-38b731b3ed50" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "11" ], + "x-ms-request-id": [ "21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "x-ms-correlation-request-id": [ "21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020214Z:21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "331" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "228" ], + "x-ms-client-request-id": [ "c3004244-1407-42db-99d3-d644bf0b6cbd" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "10" ], + "x-ms-request-id": [ "c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "x-ms-correlation-request-id": [ "c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "319" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "isContentBase64": false + } + }, + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "229" ], + "x-ms-client-request-id": [ "b3c157ba-e1de-428d-b56a-fa42997984bf" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "9" ], + "x-ms-request-id": [ "8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "x-ms-correlation-request-id": [ "8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "319" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "isContentBase64": false + } + }, + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "230" ], + "x-ms-client-request-id": [ "8cb0dc3e-413d-45fc-9e44-61e1c76c245a" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "8" ], + "x-ms-request-id": [ "81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "x-ms-correlation-request-id": [ "81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:15 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "319" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 new file mode 100644 index 000000000000..2eafee9039ce --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelOnboardingState')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelOnboardingState.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelOnboardingState' { + It 'List' { + $onboardingStates = Get-AzSentinelonboardingState -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $onboardingStates.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $onboardingState = Get-AzSentinelonboardingState -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name "default" + $onboardingState.Name | Should -Be "default" + } + + It 'GetViaIdentity' { + $onboardingState = Get-AzSentinelonboardingState -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name "default" + $onboardingStateViaId = Get-AzSentinelonboardingState -InputObject $onboardingState + $onboardingStateViaId.Name | Should -Be "default" + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json new file mode 100644 index 000000000000..6e0f0902468e --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "231" ], + "x-ms-client-request-id": [ "19eb3922-a3ee-46a7-8ef5-4ece366d0ea2" ], + "CommandName": [ "Get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], + "x-ms-request-id": [ "79611318-1db6-4131-869d-d09447af501c" ], + "x-ms-correlation-request-id": [ "79611318-1db6-4131-869d-d09447af501c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020236Z:79611318-1db6-4131-869d-d09447af501c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:36 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1178" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"8501b258-0000-0300-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "232" ], + "x-ms-client-request-id": [ "9691a5fd-cc67-4d7e-b1f7-caaeeae13eb0" ], + "CommandName": [ "Get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], + "x-ms-request-id": [ "55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "x-ms-correlation-request-id": [ "55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020236Z:55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:36 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "392" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"8501b258-0000-0300-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 new file mode 100644 index 000000000000..82088d92754a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelSetting')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelSetting.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelSetting' { + It 'List' { + $settings = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $settings.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName "Anomalies" + $setting.Name | Should -Be "Anomalies" + } + + It 'GetViaIdentity' -skip { + $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName "Anomalies" + $settingViaId = Get-AzSentinelonboardingState -InputObject $setting + $settingViaId.Name | Should -Be "Anomalies" + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 new file mode 100644 index 000000000000..6acde93eee67 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelSourceControl')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelSourceControl.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelSourceControl' { + It 'List' -skip { + $sourceControls = Get-AzSentinelsourceControl -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $sourceControls.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' -skip { + $sourceControl = Get-AzSentinelsourceControl -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetsourceControlId + $sourceControl.Name | Should -Be $env.GetsourceControlId + } + + It 'GetViaIdentity' -skip { + $sourceControl = Get-AzSentinelsourceControl -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetsourceControlId + $sourceControlViaId = $sourceControl | Get-AzSentinelonboardingState + $sourceControlViaId.Name | Should -Be $env.GetsourceControlId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 new file mode 100644 index 000000000000..855ce433ef3a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 @@ -0,0 +1,21 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelSourceControlRepository')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelSourceControlRepository.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelSourceControlRepository' { + It 'List' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json new file mode 100644 index 000000000000..264f33201f42 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "233" ], + "x-ms-client-request-id": [ "b28d579b-2e72-4762-ac11-e87bf2eef599" ], + "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], + "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], + "x-ms-request-id": [ "570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "x-ms-correlation-request-id": [ "570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020340Z:570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:03:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "4753" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/e43bf713-da7f-8329-80bb-e1556c70abdd\",\"name\":\"e43bf713-da7f-8329-80bb-e1556c70abdd\",\"etag\":\"\\\"00004c9d-0000-0200-0000-61b555c10000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:49.8349782Z\",\"externalId\":\"indicator--1a8e6023-38be-4bf1-92a9-d0f8bff496f3\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:49.8423586Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorol6dht\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"name\":\"857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"etag\":\"\\\"00004a9d-0000-0200-0000-61b555b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.9401782Z\",\"externalId\":\"indicator--2310bb8d-83b8-4d07-b46a-082da3184294\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.9404217Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator9tg8p7\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"name\":\"b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"etag\":\"\\\"0000459d-0000-0200-0000-61b555b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.0131394Z\",\"externalId\":\"indicator--01627cbb-77f2-4832-9dbe-9c3cf232ddef\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.0976111Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatornqcsd9\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"name\":\"ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"etag\":\"\\\"0000429d-0000-0200-0000-61b555b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:46.6007607Z\",\"externalId\":\"indicator--f7049b64-f651-4bd5-8324-3d13dc40ebc7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:46.8679787Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorows6tu\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/711bdb9e-2ecc-abba-d962-171ce4710199?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/711bdb9e-2ecc-abba-d962-171ce4710199?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "234" ], + "x-ms-client-request-id": [ "1ac48501-1464-4138-ab5f-1d5687f396d5" ], + "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], + "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], + "x-ms-request-id": [ "694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "x-ms-correlation-request-id": [ "694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020340Z:694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:03:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "943" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 000000000000..386a11e058d1 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelThreatIntelligenceIndicator')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelThreatIntelligenceIndicator.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelThreatIntelligenceIndicator' { + It 'List' { + $threatIntelligenceIndicators = Get-AzSentinelthreatIntelligenceIndicator -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $threatIntelligenceIndicators.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $threatIntelligenceIndicator = Get-AzSentinelthreatIntelligenceIndicator -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name $env.GetthreatIntelligenceIndicatorId + $threatIntelligenceIndicator.Name | Should -Be $env.GetthreatIntelligenceIndicatorId + } + + It 'GetViaIdentity' -skip { + $threatIntelligenceIndicator = Get-AzSentinelthreatIntelligenceIndicator -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name $env.GetthreatIntelligenceIndicatorId + $threatIntelligenceIndicatorViaId = Get-AzSentinelthreatIntelligenceIndicator -InputObject $threatIntelligenceIndicator + $threatIntelligenceIndicatorViaId.Name | Should -Be $env.GetthreatIntelligenceIndicatorId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json new file mode 100644 index 000000000000..36cdc113d0c9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json @@ -0,0 +1,43 @@ +{ + "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "235" ], + "x-ms-client-request-id": [ "13903039-a3c7-45c0-87bf-f121e21932a0" ], + "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicatorMetric" ], + "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicatorMetric_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], + "x-ms-request-id": [ "ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "x-ms-correlation-request-id": [ "ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020401Z:ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:01 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "275" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2021-12-12T02:04:01.6827262Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Azure Sentinel\",\"metricValue\":5}]}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 new file mode 100644 index 000000000000..b325b344ee1e --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelThreatIntelligenceIndicatorMetric')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelThreatIntelligenceIndicatorMetric' { + It 'List' { + $threatIntelligenceIndicatorMetrics = Get-AzSentinelthreatIntelligenceIndicatorMetric -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $threatIntelligenceIndicatorMetrics | Should -Not -BeNullOrEmpty + } +} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 new file mode 100644 index 000000000000..33cc9de276a4 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelDataConnectorCheckRequirement')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelDataConnectorCheckRequirement.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Invoke-AzSentinelDataConnectorCheckRequirement' { + It 'AADTenant' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'AzureSecurityCenter' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json new file mode 100644 index 000000000000..ac4d88f5b1c8 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json @@ -0,0 +1,434 @@ +{ + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureSecurityCenter+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"AzureSecurityCenter\",\n \"properties\": {\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], + "x-ms-request-id": [ "067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], + "x-ms-correlation-request-id": [ "067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020424Z:067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureActiveDirectory+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"AzureActiveDirectory\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "114" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], + "x-ms-request-id": [ "31d44d8e-f917-453c-94f7-8084bf96b0b9" ], + "x-ms-correlation-request-id": [ "31d44d8e-f917-453c-94f7-8084bf96b0b9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020424Z:31d44d8e-f917-453c-94f7-8084bf96b0b9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureAdvancedThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"AzureAdvancedThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "123" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], + "x-ms-request-id": [ "a0ffb256-0622-4b9d-851d-104c022195d7" ], + "x-ms-correlation-request-id": [ "a0ffb256-0622-4b9d-851d-104c022195d7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020425Z:a0ffb256-0622-4b9d-851d-104c022195d7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_Dynamics365+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Dynamics365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "105" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], + "x-ms-request-id": [ "00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], + "x-ms-correlation-request-id": [ "00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020425Z:00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftCloudAppSecurity+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], + "x-ms-request-id": [ "d259aace-10bd-4183-a041-cce090f09496" ], + "x-ms-correlation-request-id": [ "d259aace-10bd-4183-a041-cce090f09496" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:d259aace-10bd-4183-a041-cce090f09496" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftDefenderAdvancedThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftDefenderAdvancedThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "135" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], + "x-ms-request-id": [ "d0278114-9296-43b6-a2bc-8342394a3f83" ], + "x-ms-correlation-request-id": [ "d0278114-9296-43b6-a2bc-8342394a3f83" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:d0278114-9296-43b6-a2bc-8342394a3f83" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftThreatIntelligence+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "121" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], + "x-ms-request-id": [ "635f1a34-5786-42ff-81a9-678b7a1637d0" ], + "x-ms-correlation-request-id": [ "635f1a34-5786-42ff-81a9-678b7a1637d0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:635f1a34-5786-42ff-81a9-678b7a1637d0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], + "x-ms-request-id": [ "29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], + "x-ms-correlation-request-id": [ "29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020427Z:29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_OfficeATP+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"OfficeATP\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "103" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1191" ], + "x-ms-request-id": [ "46f168bf-2db7-4ec3-b817-7e6ff0011250" ], + "x-ms-correlation-request-id": [ "46f168bf-2db7-4ec3-b817-7e6ff0011250" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:46f168bf-2db7-4ec3-b817-7e6ff0011250" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_OfficeIRM+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"OfficeIRM\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "103" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], + "x-ms-request-id": [ "f98dc21c-eb87-4827-834b-ec49e690671b" ], + "x-ms-correlation-request-id": [ "f98dc21c-eb87-4827-834b-ec49e690671b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:f98dc21c-eb87-4827-834b-ec49e690671b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_ThreatIntelligence+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"ThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "112" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], + "x-ms-request-id": [ "dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], + "x-ms-correlation-request-id": [ "dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_ThreatIntelligenceTaxii+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"ThreatIntelligenceTaxii\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "117" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1188" ], + "x-ms-request-id": [ "1f027955-e01b-400d-8018-f815fc1e5710" ], + "x-ms-correlation-request-id": [ "1f027955-e01b-400d-8018-f815fc1e5710" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020429Z:1f027955-e01b-400d-8018-f815fc1e5710" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 new file mode 100644 index 000000000000..b44ad970e8b9 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 @@ -0,0 +1,77 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelDataConnectorsCheckRequirement')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Invoke-AzSentinelDataConnectorsCheckRequirement' { + It 'Custom_AzureSecurityCenter' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureSecurityCenter -ASCSubscriptionId $env.SubscriptionId + $result | Should -Not -Be $null + } + + It 'Custom_AzureActiveDirectory' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureActiveDirectory -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_AzureAdvancedThreatProtection' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureAdvancedThreatProtection -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_Dynamics365' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind Dynamics365 -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftCloudAppSecurity' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftCloudAppSecurity -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftDefenderAdvancedThreatProtection' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftDefenderAdvancedThreatProtection -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftThreatIntelligence' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftThreatIntelligence -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftThreatProtection' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftThreatProtection -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_OfficeATP' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind OfficeATP -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_OfficeIRM' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind OfficeIRM -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_ThreatIntelligence' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind ThreatIntelligence -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_ThreatIntelligenceTaxii' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind ThreatIntelligenceTaxii -TenantId $env.Tenant + $result | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json new file mode 100644 index 000000000000..bc429ea06f43 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json @@ -0,0 +1,38 @@ +{ + "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", + "Content": "{\n \"pageSize\": 10,\n \"includeDisabled\": true\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "47" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11939" ], + "x-ms-request-id": [ "6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "x-ms-correlation-request-id": [ "6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020450Z:6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:50 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "4753" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/e43bf713-da7f-8329-80bb-e1556c70abdd\",\"name\":\"e43bf713-da7f-8329-80bb-e1556c70abdd\",\"etag\":\"\\\"00004c9d-0000-0200-0000-61b555c10000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:49.8349782Z\",\"externalId\":\"indicator--1a8e6023-38be-4bf1-92a9-d0f8bff496f3\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:49.8423586Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorol6dht\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"name\":\"857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"etag\":\"\\\"00004a9d-0000-0200-0000-61b555b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.9401782Z\",\"externalId\":\"indicator--2310bb8d-83b8-4d07-b46a-082da3184294\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.9404217Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator9tg8p7\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"name\":\"b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"etag\":\"\\\"0000459d-0000-0200-0000-61b555b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.0131394Z\",\"externalId\":\"indicator--01627cbb-77f2-4832-9dbe-9c3cf232ddef\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.0976111Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatornqcsd9\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"name\":\"ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"etag\":\"\\\"0000429d-0000-0200-0000-61b555b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:46.6007607Z\",\"externalId\":\"indicator--f7049b64-f651-4bd5-8324-3d13dc40ebc7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:46.8679787Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorows6tu\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 new file mode 100644 index 000000000000..40de278493a0 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery' { + It 'QueryExpanded' { + $threatIntelligenceIndicators = Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.WorkspaceName -IncludeDisabled -PageSize 10 + $threatIntelligenceIndicators | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..721e709eb8ad --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "621" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], + "x-ms-request-id": [ "83a95078-452b-4182-bc87-232dfeea8d3f" ], + "x-ms-correlation-request-id": [ "83a95078-452b-4182-bc87-232dfeea8d3f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020513Z:83a95078-452b-4182-bc87-232dfeea8d3f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1047" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633\",\"name\":\"5147f709-f401-4e34-865c-e348fcfdf633\",\"etag\":\"\\\"930033c9-0000-0100-0000-61b558d80000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":true,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:05:12.5081355Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..e2ad07c21c56 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,24 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelAlertRule' { + It 'CreateExpanded' { + $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Kind Scheduled -Disabled -Query 'SecurityEvent | take 1' -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 + $alertRule.DisplayName | Should -Be "NewAlertRulePSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..63d58aca0652 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,74 @@ +{ + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "621" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], + "x-ms-request-id": [ "d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "x-ms-correlation-request-id": [ "d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020534Z:d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1047" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69\",\"name\":\"973adaf2-4d97-4f62-af62-b19edbf22e69\",\"etag\":\"\\\"9300f3cc-0000-0100-0000-61b558ee0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":true,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:05:33.9989938Z\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "551" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "x-ms-correlation-request-id": [ "8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020535Z:8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:34 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "610" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038\",\"name\":\"e9a08151-4f8b-43ae-9199-2c0df1ce9038\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..d44be2f4904b --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelAlertRuleAction' { + It 'CreateExpanded' { + $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Kind Scheduled -Disabled -Query "SecurityEvent | take 1" -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 + $alertRuleAction = New-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) -ResourceGroupName $env.ResourceGroupName ` + -RuleId ($alertRule.Name) -WorkspaceName $env.workspaceName -LogicAppResourceId $env.Playbook1LogicAppResourceId ` + -TriggerUri $env.Playbook1TriggerUrl + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..b52dd85f383d --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRulePSTest\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "585" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "x-ms-correlation-request-id": [ "b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020558Z:b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800\",\"name\":\"9612d8a8-8eef-4188-b4d3-11b66bfc0800\",\"etag\":\"\\\"79004be5-0000-0100-0000-61b559060000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRulePSTest\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:05:58Z\",\"createdTimeUtc\":\"2021-12-12T02:05:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..b5be0e04d2a6 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelAutomationRule' { + It 'CreateExpanded' { + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook2LogicAppResourceId + $automationRuleAction.ActionConfigurationTenantId = $env.Tenant + $automationRule = New-AzSentinelAutomationRule -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -Action $automationRuleAction -DisplayName "NewAutomationRulePSTest" -Order 2 ` + -TriggeringLogicIsEnabled + $automationRule.DisplayName | Should -Be "NewAutomationRulePSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..3e6bf985d937 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkPSTest\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2021-12-12T02:06:29.0674151Z\",\n \"queryStartTime\": \"2021-12-11T02:06:29.0660871Z\",\n \"queryEndTime\": \"2021-12-12T02:06:29.0666390Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "258" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], + "x-ms-request-id": [ "607f3836-8646-408b-aa27-0348a676b88e" ], + "x-ms-correlation-request-id": [ "607f3836-8646-408b-aa27-0348a676b88e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020620Z:607f3836-8646-408b-aa27-0348a676b88e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1074" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d\",\"name\":\"aa863e57-e1ec-45cf-a4d9-1db1a64a354d\",\"etag\":\"\\\"6b02b4e0-0000-0100-0000-61b5591c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkPSTest\",\"created\":\"2021-12-12T02:06:20.7338899+00:00\",\"updated\":\"2021-12-12T02:06:20+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:06:29.0674151+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2021-12-11T02:06:29.0660871+00:00\",\"queryEndTime\":\"2021-12-12T02:06:29.066639+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..0f6230c9300e --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,24 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelBookmark' { + It 'CreateExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkPSTest" -Query "SecurityEvent | take 1" ` + -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $bookmark.DisplayName | Should -Be "NewBookmarkPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..c193128326b0 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,110 @@ +{ + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:06:50.3515249Z\",\n \"queryStartTime\": \"2021-12-11T02:06:50.3509781Z\",\n \"queryEndTime\": \"2021-12-12T02:06:50.3513391Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "268" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], + "x-ms-request-id": [ "54f92a27-3ce0-451c-a6a7-57c490614229" ], + "x-ms-correlation-request-id": [ "54f92a27-3ce0-451c-a6a7-57c490614229" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020641Z:54f92a27-3ce0-451c-a6a7-57c490614229" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1085" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39\",\"name\":\"c14cba0a-4aa1-4d5f-9080-c510f9057e39\",\"etag\":\"\\\"6b0269e1-0000-0100-0000-61b559310000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkRelationPSTest\",\"created\":\"2021-12-12T02:06:41.8714854+00:00\",\"updated\":\"2021-12-12T02:06:41+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:06:50.3515249+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-11T02:06:50.3509781+00:00\",\"queryEndTime\":\"2021-12-12T02:06:50.3513391+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewBookmarkRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "120" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4f33c507-2951-4059-a27f-37ed38709947" ], + "x-ms-correlation-request-id": [ "4f33c507-2951-4059-a27f-37ed38709947" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020642Z:4f33c507-2951-4059-a27f-37ed38709947" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1219" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"name\":\"878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"etag\":\"\\\"3c009578-0000-0100-0000-61b559320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:06:42.155687Z\",\"createdTimeUtc\":\"2021-12-12T02:06:42.155687Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], + "x-ms-request-id": [ "e4184674-c345-4f93-a706-44473e0ef70e" ], + "x-ms-correlation-request-id": [ "e4184674-c345-4f93-a706-44473e0ef70e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020642Z:e4184674-c345-4f93-a706-44473e0ef70e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7\",\"name\":\"c68fd237-f983-4d0a-8c76-6933a86e15d7\",\"etag\":\"\\\"6b0273e1-0000-0100-0000-61b559320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"relatedResourceName\":\"878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..a25434a3f3c8 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,28 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelBookmarkRelation' { + It 'CreateExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewBookmarkRelationPSTest" + $bookmarkRelation = New-AzSentinelBookmarkRelation -BookmarkId $bookmark.Name -RelationName ((New-Guid).Guid) ` + -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RelatedResourceId $incident.Id + $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..26e0adb53f53 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"bingSafetyPhishingURL\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n },\n \"microsoftEmergingThreatFeed\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "398" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], + "x-ms-request-id": [ "64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "x-ms-correlation-request-id": [ "64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020704Z:64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:07:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "675" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d\",\"name\":\"a9a5afd4-43fd-4973-9a02-c30a6b06c40d\",\"etag\":\"340c63e1-c0f5-4771-89ed-8d5652f9c15d\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..f9c0e921740a --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,24 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelDataConnector' { + It 'CreateExpanded' { + $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All ` + -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All + $dataConnector | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..7a2b32327b20 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\\u0027{{Account_Name}}\\u0027, \\u0027{{Account_UPNSuffix}}\\u0027, \\u0027{{Account_AadUserId}}\\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"\n },\n \"title\": \"The user consented to OAuth application\",\n \"content\": \"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\n \"description\": \"This activity lists user\\u0027s consents to an OAuth applications.\",\n \"inputEntityType\": \"Account\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "1571" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], + "x-ms-request-id": [ "8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "x-ms-correlation-request-id": [ "8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020726Z:8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:07:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2034" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e\",\"name\":\"56959909-d6b6-4cf1-95b3-6c86f0a7dc5e\",\"etag\":\"\\\"5101f127-0000-0100-0000-61b5595e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T02:07:26.3377287Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:07:26.3377287Z\",\"inputEntityType\":\"Account\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..563857267e84 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,37 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelEntityQuery' { + It 'CreateExpanded' { + $query = 'let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){ + let account_upn = iff(Account_Name != "" and Account_UPNSuffix != "", strcat(Account_Name,"@",Account_UPNSuffix),"" ); + AuditLogs + | where OperationName == "Consent to application" + | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) ["user"]["userPrincipalName"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) ["user"]["id"]) + | where (account_upn != "" and account_upn =~ Source_Account_UPNSuffix) + or (Account_AadUserId != "" and Account_AadUserId =~ Source_Account_AadUserId) + | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0]["displayName"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0]["id"]) + }; + UserConsentToApplication(''{{Account_Name}}'', ''{{Account_UPNSuffix}}'', ''{{Account_AadUserId}}'') + | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated' + $entityQuery = New-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title "The user consented to OAuth application" ` + -InputEntityType "Account" -Content "The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)" ` + -Description "This activity lists user's consents to an OAuth applications." ` + -QueryDefinitionQuery $query + $entityQuery.InputEntityType | Should -Be "Account" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..75dc6cbdf0e4 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "112" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "x-ms-correlation-request-id": [ "2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020747Z:2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:07:47 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1213" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"name\":\"0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"etag\":\"\\\"3c006b7a-0000-0100-0000-61b559730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:07:47.5655543Z\",\"createdTimeUtc\":\"2021-12-12T02:07:47.5655543Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..5599eb9c01ae --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncident' { + It 'CreateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentPSTest" + $incident.Title | Should -Be "NewIncidentPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..65af3b90c983 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,74 @@ +{ + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "x-ms-correlation-request-id": [ "b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020809Z:b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1220" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"name\":\"ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"etag\":\"\\\"3c00ec7a-0000-0100-0000-61b559890000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentCommentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:09.5235385Z\",\"createdTimeUtc\":\"2021-12-12T02:08:09.5235385Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/comments/af24ae68-4352-4fb3-837b-8bce51dae455?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/comments/af24ae68-4352-4fb3-837b-8bce51dae455?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"NewIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "67" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "x-ms-correlation-request-id": [ "2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020810Z:2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "789" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/Comments/af24ae68-4352-4fb3-837b-8bce51dae455\",\"name\":\"af24ae68-4352-4fb3-837b-8bce51dae455\",\"etag\":\"\\\"3c00f17a-0000-0100-0000-61b559890000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T02:08:09.9001761Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:08:09.9001761Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..4e940249a4c1 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncidentComment' { + It 'CreateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentCommentPSTest" + $incidentComment = New-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -IncidentId $incident.Name -Message "NewIncidentCommentPSTest" + $incidentComment.Message | Should -Be "NewIncidentCommentPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..9c7cd908c266 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,110 @@ +{ + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:08:40.3864588Z\",\n \"queryStartTime\": \"2021-12-11T02:08:40.3860073Z\",\n \"queryEndTime\": \"2021-12-12T02:08:40.3862850Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "268" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], + "x-ms-request-id": [ "bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "x-ms-correlation-request-id": [ "bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020831Z:bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1084" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"name\":\"a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"etag\":\"\\\"6b02fee4-0000-0100-0000-61b5599f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewIncidentRelationPSTest\",\"created\":\"2021-12-12T02:08:31.8504366+00:00\",\"updated\":\"2021-12-12T02:08:31+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:08:40.3864588+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-11T02:08:40.3860073+00:00\",\"queryEndTime\":\"2021-12-12T02:08:40.386285+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "120" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "x-ms-correlation-request-id": [ "8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020832Z:8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1221" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"name\":\"d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"etag\":\"\\\"3c00807b-0000-0100-0000-61b559a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:32.0999195Z\",\"createdTimeUtc\":\"2021-12-12T02:08:32.0999195Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "x-ms-correlation-request-id": [ "1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020832Z:1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3\",\"name\":\"b7b6b9c0-028a-46c8-968c-802c214340b3\",\"etag\":\"\\\"3c00847b-0000-0100-0000-61b559a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"relatedResourceName\":\"a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..54d60f23df2d --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,28 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncidentRelation' { + It 'CreateExpanded' { + $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -DisplayName "NewIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentRelationPSTest" + $incidentRelation = New-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $incident.Name -RelationName ((New-Guid).Guid) -RelatedResourceId $bookmark.Id + $incidentRelation.RelatedResourceId | Should -Be $bookmark.Id + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json new file mode 100644 index 000000000000..9f260a1d3ef8 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json @@ -0,0 +1,74 @@ +{ + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NITPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "104" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], + "x-ms-request-id": [ "b747fabb-3578-4c20-879e-e8f9d3967805" ], + "x-ms-correlation-request-id": [ "b747fabb-3578-4c20-879e-e8f9d3967805" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020854Z:b747fabb-3578-4c20-879e-e8f9d3967805" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:53 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1205" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/8be31373-5184-4105-a012-dd4a94188a6e\",\"name\":\"8be31373-5184-4105-a012-dd4a94188a6e\",\"etag\":\"\\\"3c00e17b-0000-0100-0000-61b559b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NITPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:54.1822429Z\",\"createdTimeUtc\":\"2021-12-12T02:08:54.1822429Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/8be31373-5184-4105-a012-dd4a94188a6e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e/createTeam?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e/createTeam?api-version=2021-09-01-preview", + "Content": "{\n \"teamName\": \"NITPSTest\"\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "29" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1187" ], + "x-ms-request-id": [ "9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "x-ms-correlation-request-id": [ "9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020857Z:9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "351" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"teamId\":\"f35942d5-9ccd-4683-b9f3-9e606644bdef\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19:Rd-gdsF3H1aQfej8OHndmWn6d1YcVARleCI3HazjTdI1%40thread.tacv2/conversations?groupId=f35942d5-9ccd-4683-b9f3-9e606644bdef\u0026tenantId=5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\"teamCreationTimeUtc\":\"2021-12-12T02:08:57.4447948+00:00\",\"name\":\"NITPSTest\"}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 new file mode 100644 index 000000000000..f080e9ad5564 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentTeam')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncidentTeam.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncidentTeam' { + It 'CreateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NITPSTest" + $team = New-AzSentinelIncidentTeam -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -TeamName "NITPSTest" -IncidentId $incident.Name + $team.Name | Should -Be "NITPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 new file mode 100644 index 000000000000..6052dce6e666 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelOnboardingState')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelOnboardingState.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelOnboardingState' { + It 'CreateExpanded' -skip { + { New-AzSentinelOnboardingState -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.newOnboardingStateWS -Name "default" } | Should -Not -Throw + } +} + \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 000000000000..c40db87cc9c3 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelThreatIntelligenceIndicator')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelThreatIntelligenceIndicator.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelThreatIntelligenceIndicator' { + It 'CreateExpanded' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Create1' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Create' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/README.md b/src/SecurityInsights/test/README.md new file mode 100644 index 000000000000..1969200c6a09 --- /dev/null +++ b/src/SecurityInsights/test/README.md @@ -0,0 +1,17 @@ +# Test +This directory contains the [Pester](https://www.powershellgallery.com/packages/Pester) tests to run for the module. We use Pester as it is the unofficial standard for PowerShell unit testing. Test stubs for custom cmdlets (created in `../custom`) will be generated into this folder when `build-module.ps1` is ran. These test stubs will fail automatically, to indicate that tests should be written for custom cmdlets. + +## Info +- Modifiable: yes +- Generated: partial +- Committed: yes +- Packaged: no + +## Details +We allow three testing modes: *live*, *record*, and *playback*. These can be selected using the `-Live`, `-Record`, and `-Playback` switches respectively on the `test-module.ps1` script. This script will run through any `.Tests.ps1` scripts in the `test` folder. If you choose the *record* mode, it will create a `.Recording.json` file of the REST calls between the client and server. Then, when you choose *playback* mode, it will use the `.Recording.json` file to mock the communication between server and client. The *live* mode runs the same as the *record* mode; however, it doesn't create the `.Recording.json` file. + +## Purpose +Custom cmdlets generally encompass additional functionality not described in the REST specification, or combines functionality generated from the REST spec. To validate this functionality continues to operate as intended, creating tests that can be ran and re-ran against custom cmdlets is part of the framework. + +## Usage +To execute tests, run the `test-module.ps1`. To write tests, [this example](https://github.com/pester/Pester/blob/8b9cf4248315e44f1ac6673be149f7e0d7f10466/Examples/Planets/Get-Planet.Tests.ps1#L1) from the Pester repository is very useful for getting started. \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..6acf6c6fd5fe --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "269" ], + "x-ms-client-request-id": [ "f9d2be0b-03a7-4e01-a67d-5f2d62438d10" ], + "CommandName": [ "Remove-AzSentinelAlertRule" ], + "FullCommandName": [ "Remove-AzSentinelAlertRule_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], + "x-ms-request-id": [ "8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "x-ms-correlation-request-id": [ "8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "270" ], + "x-ms-client-request-id": [ "5c460652-1a17-4fc5-bb9e-0ea05c7214ef" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], + "x-ms-request-id": [ "54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "x-ms-correlation-request-id": [ "54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1180" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"name\":\"952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"etag\":\"\\\"9200b415-0000-0100-0000-61b54f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule62imtb\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule62imtb 952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:42.5246541Z\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "271" ], + "x-ms-client-request-id": [ "09bfc100-0d59-4301-827a-446ddfe1d034" ], + "CommandName": [ "Remove-AzSentinelAlertRule" ], + "FullCommandName": [ "Remove-AzSentinelAlertRule_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14998" ], + "x-ms-request-id": [ "544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "x-ms-correlation-request-id": [ "544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..e9b1d8a2f619 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelAlertRule' { + It 'Delete' { + { Remove-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.RemoveAlertRuleId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.RemoveViaIdAlertRuleId + { Remove-AzSentinelAlertRule -InputObject $alertRule } | Should -Not -Throw + } +} + \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..d12cf459335c --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,123 @@ +{ + "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6/actions/d359018e-774c-4345-aad4-eaf449a72b0c?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6/actions/d359018e-774c-4345-aad4-eaf449a72b0c?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "272" ], + "x-ms-client-request-id": [ "dbc99097-45e4-4ce8-ad2c-ab0995cfdbaa" ], + "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14997" ], + "x-ms-request-id": [ "acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "x-ms-correlation-request-id": [ "acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021046Z:acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:45 GMT" ] + }, + "ContentHeaders": { + "Expires": [ "-1" ], + "Content-Length": [ "0" ] + }, + "Content": null, + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "273" ], + "x-ms-client-request-id": [ "a1ffcfe9-2e9f-4977-a742-bd67e6bfae66" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], + "x-ms-request-id": [ "f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "x-ms-correlation-request-id": [ "f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021047Z:f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80\",\"name\":\"49c62647-0f89-442a-8fc1-76a2159daa80\",\"etag\":\"\\\"2600e554-0000-0300-0000-61b550330000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "274" ], + "x-ms-client-request-id": [ "75cd3713-b8a9-4013-b834-41d7af4399db" ], + "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14996" ], + "x-ms-request-id": [ "3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "x-ms-correlation-request-id": [ "3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021048Z:3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:47 GMT" ] + }, + "ContentHeaders": { + "Expires": [ "-1" ], + "Content-Length": [ "0" ] + }, + "Content": null, + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..04de4070aade --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelAlertRuleAction' { + It 'Delete' { + { Remove-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.RemoveAlertRuleActionRuleId -Id $env.RemoveAlertRuleActionId} | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName ` + -RuleId $env.RemoveViaIdAlertRuleActionRuleId -Id $env.RemoveViaIdAlertRuleActionId + { Remove-AzSentinelAlertRuleAction -InputObject $alertRuleAction } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..9890b36e8728 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "275" ], + "x-ms-client-request-id": [ "c4479378-6f8f-4564-9baa-c7941f8b8853" ], + "CommandName": [ "Remove-AzSentinelAutomationRule" ], + "FullCommandName": [ "Remove-AzSentinelAutomationRule_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14995" ], + "x-ms-request-id": [ "cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "x-ms-correlation-request-id": [ "cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "276" ], + "x-ms-client-request-id": [ "941690b1-0c9a-4f3f-8270-3b496e8efb48" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4fa25446-f052-49cf-995a-ebd22dbac529" ], + "x-ms-correlation-request-id": [ "4fa25446-f052-49cf-995a-ebd22dbac529" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:4fa25446-f052-49cf-995a-ebd22dbac529" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1354" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"name\":\"37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"etag\":\"\\\"79000c93-0000-0100-0000-61b5514a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule1whyd4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:58Z\",\"createdTimeUtc\":\"2021-12-12T01:32:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "277" ], + "x-ms-client-request-id": [ "8e085c3b-bebc-448b-a8e7-d262c731b62f" ], + "CommandName": [ "Remove-AzSentinelAutomationRule" ], + "FullCommandName": [ "Remove-AzSentinelAutomationRule_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14994" ], + "x-ms-request-id": [ "73787d6a-a355-42e0-9e1e-09b17db17146" ], + "x-ms-correlation-request-id": [ "73787d6a-a355-42e0-9e1e-09b17db17146" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:73787d6a-a355-42e0-9e1e-09b17db17146" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..c3572a6064da --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelAutomationRule' { + It 'Delete' { + { Remove-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveAutomationRuleId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $automationRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdAutomationRuleId + { Remove-AzSentinelAutomationRule -InputObject $automationRule} | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..a1f3b9763cdb --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/9ff7b322-3212-4574-bfad-4408206875f8?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/9ff7b322-3212-4574-bfad-4408206875f8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "278" ], + "x-ms-client-request-id": [ "e8476f9a-f07a-4121-98ae-0005160b8a62" ], + "CommandName": [ "Remove-AzSentinelBookmark" ], + "FullCommandName": [ "Remove-AzSentinelBookmark_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14993" ], + "x-ms-request-id": [ "35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "x-ms-correlation-request-id": [ "35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021133Z:35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "279" ], + "x-ms-client-request-id": [ "6acd6fc2-853e-4f07-a2a8-a9f2ea22fc11" ], + "CommandName": [ "Get-AzSentinelBookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11936" ], + "x-ms-request-id": [ "cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "x-ms-correlation-request-id": [ "cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021133Z:cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/4327ac2f-6115-4602-9616-83cf991298a5\",\"name\":\"4327ac2f-6115-4602-9616-83cf991298a5\",\"etag\":\"\\\"6b02319c-0000-0100-0000-61b551e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark061i4x\",\"created\":\"2021-12-12T01:35:34.2696125+00:00\",\"updated\":\"2021-12-12T01:35:34.2696125+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "280" ], + "x-ms-client-request-id": [ "3cf9b7de-7557-4b52-a511-75d856d1962a" ], + "CommandName": [ "Remove-AzSentinelBookmark" ], + "FullCommandName": [ "Remove-AzSentinelBookmark_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14992" ], + "x-ms-request-id": [ "e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "x-ms-correlation-request-id": [ "e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021134Z:e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:34 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..e864505fc0f8 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelBookmark' { + It 'Delete' { + { Remove-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveBookmarkId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $bookmark = Get-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdBookmarkId + { Remove-AzSentinelBookmark -InputObject $bookmark } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..d9c26fe06ae8 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888/relations/adad6e56-9f94-4fba-ba3b-96f4616cdf68?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888/relations/adad6e56-9f94-4fba-ba3b-96f4616cdf68?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "281" ], + "x-ms-client-request-id": [ "a8e52b88-2b95-4183-bda7-9b192bbe6eea" ], + "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14991" ], + "x-ms-request-id": [ "e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "x-ms-correlation-request-id": [ "e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021156Z:e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "282" ], + "x-ms-client-request-id": [ "0e9b0a62-8442-402b-8a94-7512c9c6a6c8" ], + "CommandName": [ "Get-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], + "x-ms-request-id": [ "cc098520-2b65-4165-9046-f57ce899c1ca" ], + "x-ms-correlation-request-id": [ "cc098520-2b65-4165-9046-f57ce899c1ca" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021156Z:cc098520-2b65-4165-9046-f57ce899c1ca" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"name\":\"e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"etag\":\"\\\"6b0254b0-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"relatedResourceName\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "283" ], + "x-ms-client-request-id": [ "75dedba1-e385-4668-82f4-9d6186ef3845" ], + "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14990" ], + "x-ms-request-id": [ "a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "x-ms-correlation-request-id": [ "a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021157Z:a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..61d3036008c2 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelBookmarkRelation' { + It 'Delete' { + { Remove-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.RemovebookmarkRelationBookmarkId -RelationName $env.RemoveBookmarkRelationId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $bookmarkRelation = Get-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -BookmarkId $env.RemoveViaIdbookmarkRelationBookmarkId -RelationName $env.RemoveViaIdBookmarkRelationId + { Remove-AzSentinelBookmarkRelation -InputObject $bookmarkRelation } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..77b652862e92 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json @@ -0,0 +1,156 @@ +{ + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "198" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], + "x-ms-request-id": [ "d764a3df-4f12-4563-903f-3d84addd6046" ], + "x-ms-correlation-request-id": [ "d764a3df-4f12-4563-903f-3d84addd6046" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021219Z:d764a3df-4f12-4563-903f-3d84addd6046" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:18 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "567" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea\",\"name\":\"6ba8eed7-c5fb-4756-8441-1a211e0a6eea\",\"etag\":\"8777901f-f253-4327-98a9-2841f902da12\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"},\"discoveryLogs\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "285" ], + "x-ms-client-request-id": [ "49737722-1805-4d80-9e73-2bd45b6058b1" ], + "CommandName": [ "Remove-AzSentinelDataConnector" ], + "FullCommandName": [ "Remove-AzSentinelDataConnector_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14989" ], + "x-ms-request-id": [ "9475ca24-66a5-4018-91c1-912457c89898" ], + "x-ms-correlation-request-id": [ "9475ca24-66a5-4018-91c1-912457c89898" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021219Z:9475ca24-66a5-4018-91c1-912457c89898" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:19 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "198" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], + "x-ms-request-id": [ "dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "x-ms-correlation-request-id": [ "dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021220Z:dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "567" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd\",\"name\":\"d932006a-f4c7-43ed-8c91-2fe5485678fd\",\"etag\":\"73cea443-5e30-47db-b856-8635bd63e9f2\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"},\"discoveryLogs\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "287" ], + "x-ms-client-request-id": [ "3a2801d9-0d21-403e-985b-6c0f17a9ad13" ], + "CommandName": [ "Remove-AzSentinelDataConnector" ], + "FullCommandName": [ "Remove-AzSentinelDataConnector_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14988" ], + "x-ms-request-id": [ "e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "x-ms-correlation-request-id": [ "e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021221Z:e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..89201404f566 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelDataConnector' { + It 'Delete' { + $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" + { Remove-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $dataConnector.Name } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" + { Remove-AzSentinelDataConnector -InputObject $dataConnector } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..c830d07b7fb5 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "288" ], + "x-ms-client-request-id": [ "f3353721-6954-4ce5-97d0-b78e750f1313" ], + "CommandName": [ "Remove-AzSentinelEntityQuery" ], + "FullCommandName": [ "Remove-AzSentinelEntityQuery_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14987" ], + "x-ms-request-id": [ "3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "x-ms-correlation-request-id": [ "3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "289" ], + "x-ms-client-request-id": [ "2160734d-69fa-4379-a011-4f58077788cc" ], + "CommandName": [ "Get-AzSentinelEntityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11934" ], + "x-ms-request-id": [ "8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "x-ms-correlation-request-id": [ "8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e\",\"name\":\"f75cff94-cd35-4d3e-a20b-4c4eee51dd8e\",\"etag\":\"\\\"50013ae2-0000-0100-0000-61b5535d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:41:49.6134342Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:41:49.6134342Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "290" ], + "x-ms-client-request-id": [ "af1f747e-7f78-4d0e-993d-c8530a04e4e3" ], + "CommandName": [ "Remove-AzSentinelEntityQuery" ], + "FullCommandName": [ "Remove-AzSentinelEntityQuery_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14986" ], + "x-ms-request-id": [ "367c75ba-89ae-481a-b829-5f173538b0b5" ], + "x-ms-correlation-request-id": [ "367c75ba-89ae-481a-b829-5f173538b0b5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:367c75ba-89ae-481a-b829-5f173538b0b5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..057f867b6510 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelEntityQuery' { + It 'Delete' { + { Remove-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveentityQueryActivityId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $entityQuery = Get-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdentityQueryActivityId + { Remove-AzSentinelEntityQuery -InputObject $entityQuery } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..dd0e17816391 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "291" ], + "x-ms-client-request-id": [ "574a9df9-4e96-4bf7-b983-de396ac7a8f7" ], + "CommandName": [ "Remove-AzSentinelIncident" ], + "FullCommandName": [ "Remove-AzSentinelIncident_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14985" ], + "x-ms-request-id": [ "ba411cec-55f6-4380-8706-301eac432d72" ], + "x-ms-correlation-request-id": [ "ba411cec-55f6-4380-8706-301eac432d72" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:ba411cec-55f6-4380-8706-301eac432d72" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "292" ], + "x-ms-client-request-id": [ "572569e4-b995-4a3c-9303-6c9c128da808" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], + "x-ms-request-id": [ "7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "x-ms-correlation-request-id": [ "7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "293" ], + "x-ms-client-request-id": [ "09e42b86-ecb3-4fcb-8027-9fa8147f1be2" ], + "CommandName": [ "Remove-AzSentinelIncident" ], + "FullCommandName": [ "Remove-AzSentinelIncident_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14984" ], + "x-ms-request-id": [ "6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "x-ms-correlation-request-id": [ "6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..b8c4dda87a22 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelIncident' { + It 'Delete' { + { Remove-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveincidentId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdincidentId + { Remove-AzSentinelIncident -InputObject $incident } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..009621cf4459 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/comments/2305a5f7-84eb-482c-bc88-33d76495c69c?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/comments/2305a5f7-84eb-482c-bc88-33d76495c69c?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "294" ], + "x-ms-client-request-id": [ "15babaea-3ef5-46e9-a706-02b3d6c966c2" ], + "CommandName": [ "Remove-AzSentinelIncidentComment" ], + "FullCommandName": [ "Remove-AzSentinelIncidentComment_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "x-ms-correlation-request-id": [ "06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021324Z:06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "295" ], + "x-ms-client-request-id": [ "f3278cb2-da91-40b4-ac8e-5fa8cfa66a23" ], + "CommandName": [ "Get-AzSentinelIncidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4a175543-f6e7-4898-ac14-aed7e9905217" ], + "x-ms-correlation-request-id": [ "4a175543-f6e7-4898-ac14-aed7e9905217" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021324Z:4a175543-f6e7-4898-ac14-aed7e9905217" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "797" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/Comments/97010b56-8d45-49b6-9f11-02d55ed685b8\",\"name\":\"97010b56-8d45-49b6-9f11-02d55ed685b8\",\"etag\":\"\\\"3c00ac5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentComment8ftdy3\",\"createdTimeUtc\":\"2021-12-12T01:47:02.1178777Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.1178777Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "296" ], + "x-ms-client-request-id": [ "60ee7844-7239-4bbc-bf2a-cc4ec66a49d0" ], + "CommandName": [ "Remove-AzSentinelIncidentComment" ], + "FullCommandName": [ "Remove-AzSentinelIncidentComment_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "x-ms-correlation-request-id": [ "c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021325Z:c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..4f0f526d3573 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelIncidentComment' { + It 'Delete' { + { Remove-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.RemoveincidentCommentIncidentId -Id $env.RemoveincidentCommentId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $incidentComment = Get-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.RemoveViaIdincidentCommentIncidentId -Id $env.RemoveViaIdincidentCommentId + { Remove-AzSentinelIncidentComment -InputObject $incidentComment } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..723b1d498b24 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,123 @@ +{ + "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/relations/969e8896-2438-40e6-9455-f5fd9b30d396?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/relations/969e8896-2438-40e6-9455-f5fd9b30d396?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "297" ], + "x-ms-client-request-id": [ "1d8a4923-93be-4a4b-a886-dfe9bfa70be1" ], + "CommandName": [ "Remove-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Remove-AzSentinelIncidentRelation_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 204, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "x-ms-correlation-request-id": [ "db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:46 GMT" ] + }, + "ContentHeaders": { + "Expires": [ "-1" ] + }, + "Content": null, + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "298" ], + "x-ms-client-request-id": [ "cbfc9c68-1cf2-4e27-b06f-ef17307a6764" ], + "CommandName": [ "Get-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "x-ms-correlation-request-id": [ "cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309\",\"name\":\"827874ba-8b75-40d5-ad61-57fbb9594309\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"relatedResourceName\":\"3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "299" ], + "x-ms-client-request-id": [ "07a06a05-0cf8-4c71-a63e-c0f4633a9835" ], + "CommandName": [ "Remove-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Remove-AzSentinelIncidentRelation_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "x-ms-correlation-request-id": [ "6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:47 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..50372d36ca5b --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelIncidentRelation' { + It 'Delete' { + { Remove-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.RemoveincidentCommentIncidentId -RelationName $env.RemoveincidentRelationId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.RemoveViaIdincidentRelationIncidentId -RelationName $env.RemoveViaIdincidentRelationId + { Remove-AzSentinelIncidentRelation -InputObject $incidentRelation } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 new file mode 100644 index 000000000000..614737036a1b --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelOfficeConsent')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelOfficeConsent.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelOfficeConsent' { + It 'Delete' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'DeleteViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json new file mode 100644 index 000000000000..7bae50663116 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json @@ -0,0 +1,43 @@ +{ + "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptestdlvh1s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptestdlvh1s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "304" ], + "x-ms-client-request-id": [ "a1499210-7039-49aa-8d0a-efbddac44cb5" ], + "CommandName": [ "Remove-AzSentinelOnboardingState" ], + "FullCommandName": [ "Remove-AzSentinelOnboardingState_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14981" ], + "x-ms-request-id": [ "0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "x-ms-correlation-request-id": [ "0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021455Z:0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:14:54 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 new file mode 100644 index 000000000000..3a402fef7387 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelOnboardingState')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelOnboardingState.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelOnboardingState' { + It 'Delete' { + { Remove-AzSentinelOnboardingState -Name "default" -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.removeOnboardingStateWS } | Should -Not -Throw + } + + It 'DeleteViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 new file mode 100644 index 000000000000..05fb98d9a28e --- /dev/null +++ b/src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Test-AzSentinelDataConnectorCheckRequirement')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Test-AzSentinelDataConnectorCheckRequirement.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Test-AzSentinelDataConnectorCheckRequirement' { + It 'AADTenant' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'AzureSecurityCenter' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..c001a4156df5 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json @@ -0,0 +1,38 @@ +{ + "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"9200241b-0000-0100-0000-61b54fb50000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulevi15sc\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "900" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1186" ], + "x-ms-request-id": [ "6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "x-ms-correlation-request-id": [ "6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021541Z:6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:15:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1171" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf\",\"name\":\"98981b11-0c0a-40bb-adc9-63f3693592bf\",\"etag\":\"\\\"9400d13c-0000-0100-0000-61b55b4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulevi15sc\",\"enabled\":true,\"description\":\"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:15:39.3269202Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..c3f044d17718 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,28 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelAlertRule' { + It 'UpdateExpanded' { + $alertRule = Update-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateAlertRuleId -Disabled + $alertRule.Enabled | Should -Be $true + } + + It 'UpdateViaIdentityExpanded' -skip { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateViaIdAlertRuleId + $alertRuleUpdate = Update-AzSentinelAlertRule -InputObject $alertRule -Disabled + $alertRuleUpdate.Enabled | Should -Be $true + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..d21e529faef4 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "558" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "x-ms-correlation-request-id": [ "be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021604Z:be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "617" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf\",\"name\":\"5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"6e83051f6df6465c872c5540c8c167f5\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "309" ], + "x-ms-client-request-id": [ "4b5c6ed0-5e91-4f9c-b469-ced7536e5041" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11931" ], + "x-ms-request-id": [ "4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "x-ms-correlation-request-id": [ "4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021604Z:4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"name\":\"34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"etag\":\"\\\"26005c56-0000-0300-0000-61b550730000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "558" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "x-ms-correlation-request-id": [ "ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021606Z:ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:06 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "617" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"name\":\"34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"6e83051f6df6465c872c5540c8c167f5\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..bbb7351a8864 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelAlertRuleAction' { + It 'UpdateExpanded' { + $alertRuleAction = Update-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName ` + -RuleId $env.UpdateAlertRuleActionRuleId -Id $env.UpdateAlertRuleActionId -LogicAppResourceId $env.Playbook3LogicAppResourceId -TriggerUri $env.Playbook3TriggerUrl + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook3LogicAppResourceId + } + + It 'UpdateViaIdentityExpanded' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName ` + -RuleId $env.UpdateViaIdAlertRuleActionRuleId -Id $env.UpdateViaIdAlertRuleActionId + $alertRuleAction = Update-AzSentinelAlertRuleAction -InputObject $alertRuleAction -LogicAppResourceId $env.Playbook3LogicAppResourceId -TriggerUri $env.Playbook3TriggerUrl + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook3LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..8622059da0bb --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,156 @@ +{ + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "311" ], + "x-ms-client-request-id": [ "0525ef71-01e7-4abf-b7f2-24f81d44d550" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "x-ms-correlation-request-id": [ "9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021628Z:9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1349" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"79008294-0000-0100-0000-61b551690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:33:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRule1ceigy\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "595" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "x-ms-correlation-request-id": [ "fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021629Z:fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:29 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1356" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00f80c-0000-0100-0000-61b55b7d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "313" ], + "x-ms-client-request-id": [ "c77aae63-9c15-419d-a9bc-3f5e88d54b19" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "x-ms-correlation-request-id": [ "69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021630Z:69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:29 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1356" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00f80c-0000-0100-0000-61b55b7d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRule1ceigy\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "595" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "x-ms-correlation-request-id": [ "4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021631Z:4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1356" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00070d-0000-0100-0000-61b55b7e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:30Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..cc178161a47f --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,39 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelAutomationRule' { + It 'UpdateExpanded' { + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook4LogicAppResourceId + $automationRuleAction.ActionConfigurationTenantId = $env.Tenant + $getRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateAutomationRuleId + $automationRule = Update-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateAutomationRuleId -Action $automationRuleAction -DisplayName $getRule.DisplayName -Order $getRule.Order -TriggeringLogicIsEnabled + $automationRule.Action.ActionConfigurationLogicAppResourceId | Should -Be $env.Playbook4LogicAppResourceId + } + + It 'UpdateViaIdentityExpanded' { + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook4LogicAppResourceId + $automationRuleAction.ActionConfigurationTenantId = $env.Tenant + $getRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateAutomationRuleId + $automationRuleUpdate = Update-AzSentinelAutomationRule -InputObject $getRule -Action $automationRuleAction -DisplayName $getRule.DisplayName -Order $getRule.Order -TriggeringLogicIsEnabled + $automationRuleUpdate.Action.ActionConfigurationLogicAppResourceId | Should -Be $env.Playbook4LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..8d34e003ad91 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json @@ -0,0 +1,156 @@ +{ + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "315" ], + "x-ms-client-request-id": [ "5fcb1435-2914-4d90-9863-6293574ccb0c" ], + "CommandName": [ "Get-AzSentinelBookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], + "Server": [ "Kestrel" ], + "x-ms-request-id": [ "3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "x-ms-correlation-request-id": [ "3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021652Z:3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:51 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5321" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b02ce9f-0000-0100-0000-61b552060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarktfriza\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T01:36:06.6776344+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "67" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1185" ], + "x-ms-request-id": [ "5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "x-ms-correlation-request-id": [ "5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "941" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b0299f0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.1695666+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "317" ], + "x-ms-client-request-id": [ "bf852d4c-f0b1-4047-bb5f-f5a328ef936d" ], + "CommandName": [ "Get-AzSentinelBookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11929" ], + "x-ms-request-id": [ "00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "x-ms-correlation-request-id": [ "00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "949" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b0299f0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53.1698187+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.1695666+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "67" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1184" ], + "x-ms-request-id": [ "cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "x-ms-correlation-request-id": [ "cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "941" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b029df0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.6063277+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..af2179c43b6d --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,31 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelBookmark' { + It 'UpdateExpanded' { + $getBookmark = Get-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateBookmarkId + $bookmark = Update-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateBookmarkId -DisplayName "UpdateBookmarkPSTest" + $bookmark.DisplayName | Should -Be "UpdateBookmarkPSTest" + } + + It 'UpdateViaIdentityExpanded' { + $bookmark = Get-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateBookmarkId + $bookmarkUpdate = Update-AzSentinelBookmark -InputObject $bookmark -DisplayName "UpdateBookmarkPSTest" + $bookmarkUpdate.DisplayName | Should -Be "UpdateBookmarkPSTest" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..a576258895f0 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,187 @@ +{ + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateBookmarkRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "123" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "x-ms-correlation-request-id": [ "da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021716Z:da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:16 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1224" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"name\":\"0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"etag\":\"\\\"3c005a8d-0000-0100-0000-61b55bac0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:17:16.8238616Z\",\"createdTimeUtc\":\"2021-12-12T02:17:16.8238616Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1183" ], + "x-ms-request-id": [ "9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "x-ms-correlation-request-id": [ "9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e\",\"name\":\"3106728c-12de-4dad-b0c6-603a9285765e\",\"etag\":\"\\\"6b0226f1-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"relatedResourceName\":\"0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateViaIdBookmarkRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "128" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "x-ms-correlation-request-id": [ "7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1229" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"name\":\"450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"etag\":\"\\\"3c00648d-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:17:17.3702395Z\",\"createdTimeUtc\":\"2021-12-12T02:17:17.3702395Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "322" ], + "x-ms-client-request-id": [ "cdb860a8-60c2-4148-8365-c73bda64c033" ], + "CommandName": [ "Get-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], + "x-ms-request-id": [ "e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "x-ms-correlation-request-id": [ "e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8\",\"name\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"etag\":\"\\\"6b026ab6-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"relatedResourceName\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1182" ], + "x-ms-request-id": [ "1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "x-ms-correlation-request-id": [ "1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8\",\"name\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"etag\":\"\\\"6b0227f1-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"relatedResourceName\":\"450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..7d65a5b39cf3 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,34 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelBookmarkRelation' { + It 'UpdateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "UpdateBookmarkRelationPSTest" + $bookmarkRelation = Update-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -BookmarkId $env.UpdatebookmarkRelationBookmarkId -RelationName $env.UpdateBookmarkRelationId -RelatedResourceId $incident.Id + $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id + } + + It 'UpdateViaIdentityExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "UpdateViaIdBookmarkRelationPSTest" + $bookmarkRelation = Get-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -BookmarkId $env.UpdateViaIdbookmarkRelationBookmarkId -RelationName $env.UpdateViaIdBookmarkRelationId + $bookmarkRelationUpdate = Update-AzSentinelBookmarkRelation -InputObject $bookmarkRelation -RelatedResourceId $incident.Id + $bookmarkRelationUpdate.RelatedResourceId | Should -Be $incident.Id + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..b31fe151e8b5 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"b233bb7e-98ea-415f-895d-e389655250ac\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "346" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1181" ], + "x-ms-request-id": [ "b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "x-ms-correlation-request-id": [ "b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021740Z:b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:40 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "578" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "326" ], + "x-ms-client-request-id": [ "f4a28c41-9844-4978-a6d9-02f66c8debe3" ], + "CommandName": [ "Get-AzSentinelDataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11926" ], + "x-ms-request-id": [ "bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "x-ms-correlation-request-id": [ "bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021741Z:bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "578" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "345" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1180" ], + "x-ms-request-id": [ "dca440dc-282f-4154-b26a-0a180c937e11" ], + "x-ms-correlation-request-id": [ "dca440dc-282f-4154-b26a-0a180c937e11" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021742Z:dca440dc-282f-4154-b26a-0a180c937e11" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "577" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"e0ea214e-c798-468a-a3ed-ea1de3deea54\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..6e4534861b80 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelDataConnector' { + It 'UpdateExpanded' { + $dataConnector = Update-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId $env.updateDataConnectorId -SharePoint "Enabled" + $dataConnector.SharePointState | Should -Be "Enabled" + } + + It 'UpdateViaIdentityExpanded' { + $dataConnector = Get-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId $env.updateDataConnectorId + $dataConnectorUpdate = Update-AzSentinelDataConnector -InputObject $dataConnector -Teams "Enabled" + $dataConnectorUpdate.TeamState | Should -Be "Enabled" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..4ed152e938b6 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"50014de4-0000-0100-0000-61b5537d0000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "2162" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1179" ], + "x-ms-request-id": [ "47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "x-ms-correlation-request-id": [ "47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021804Z:47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2286" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc\",\"name\":\"64feba96-1f57-4f3d-8068-a1532ed4e2dc\",\"etag\":\"\\\"51016d4c-0000-0100-0000-61b55bdc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:21.052492Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:04.8210404Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "331" ], + "x-ms-client-request-id": [ "56b3e04b-7397-4e92-bac4-1a888d915fa0" ], + "CommandName": [ "Get-AzSentinelEntityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11923" ], + "x-ms-request-id": [ "94857087-f52f-4f97-854d-d04d9f315fde" ], + "x-ms-correlation-request-id": [ "94857087-f52f-4f97-854d-d04d9f315fde" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021805Z:94857087-f52f-4f97-854d-d04d9f315fde" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"name\":\"fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"etag\":\"\\\"500183e6-0000-0100-0000-61b5539e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"500183e6-0000-0100-0000-61b5539e0000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "2162" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1178" ], + "x-ms-request-id": [ "89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "x-ms-correlation-request-id": [ "89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021806Z:89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:05 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2287" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"name\":\"fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"etag\":\"\\\"5101754c-0000-0100-0000-61b55bde0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:05.9962445Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..fa2df6f530c7 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelEntityQuery' { + It 'UpdateExpanded' { + $entityQuery = Update-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -EntityQueryId $env.UpdateentityQueryActivityId -Title "UpdateEntityQueryPSTest" + $entityQuery.Title | Should -Be "UpdateEntityQueryPSTest" + } + It 'UpdateViaIdentityExpanded' { + $entityQuery = Get-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -EntityQueryId $env.UpdateViaIdentityQueryActivityId + $entityQueryUpdate = Update-AzSentinelEntityQuery -InputObject $entityQuery -Title "UpdateEntityQueryPSTest" + $entityQueryUpdate.Title | Should -Be "UpdateEntityQueryPSTest" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..dba41cd72fca --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json @@ -0,0 +1,156 @@ +{ + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "334" ], + "x-ms-client-request-id": [ "7bc4824c-999c-46ec-9943-3ccd1a9c07aa" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11921" ], + "x-ms-request-id": [ "bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "x-ms-correlation-request-id": [ "bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1208" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "110" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "x-ms-correlation-request-id": [ "3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1211" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00de92-0000-0100-0000-61b55bf30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:18:27.4677391Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "336" ], + "x-ms-client-request-id": [ "b4f38023-2f12-4c7f-9a76-a99d449d5609" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11920" ], + "x-ms-request-id": [ "722bd76b-a708-49d0-b44e-1c9674312111" ], + "x-ms-correlation-request-id": [ "722bd76b-a708-49d0-b44e-1c9674312111" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:722bd76b-a708-49d0-b44e-1c9674312111" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1208" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "110" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "x-ms-correlation-request-id": [ "216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1211" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c00e892-0000-0100-0000-61b55bf30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:18:27.9035618Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..455256232c77 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,31 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelIncident' { + It 'UpdateExpanded' { + $getIncident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateincidentId + $incident = Update-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateincidentId -Status "Active" -Title $getIncident.Title -Severity $getIncident.Severity + $incident.Status | Should -Be "Active" + } + + It 'UpdateViaIdentityExpanded' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateViaIdincidentId + $incidentUpdate = Update-AzSentinelIncident -InputObject $incident -Status "Active" -Title $incident.Title -Severity $incident.Severity + $incidentUpdate.Status | Should -Be "Active" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..53fdd252db9b --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "70" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "1574a9cb-d657-455d-b357-360f32f17a87" ], + "x-ms-correlation-request-id": [ "1574a9cb-d657-455d-b357-360f32f17a87" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:1574a9cb-d657-455d-b357-360f32f17a87" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:49 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "792" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c009694-0000-0100-0000-61b55c090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:49.9965827Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "339" ], + "x-ms-client-request-id": [ "430efa41-3b8e-46b8-9995-d6eb6ca455ca" ], + "CommandName": [ "Get-AzSentinelIncidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "x-ms-correlation-request-id": [ "878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:49 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "792" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c009694-0000-0100-0000-61b55c090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:49.9965827Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "70" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "x-ms-correlation-request-id": [ "5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:50 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "792" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c00a694-0000-0100-0000-61b55c0a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:50.8684487Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..18829691d5e5 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelIncidentComment' { + It 'UpdateExpanded' { + $incidentComment = Update-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentCommentIncidentId -Id $env.UpdateincidentCommentId -Message "UpdateIncidentCommentPSTest" + $incidentComment.Message | Should -Be "UpdateIncidentCommentPSTest" + } + + It 'UpdateViaIdentityExpanded' { + $incidentComment = Get-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentCommentIncidentId -Id $env.UpdateincidentCommentId + $incidentCommentUpdate = Update-AzSentinelIncidentComment -InputObject $incidentComment -Message "UpdateIncidentCommentPSTest" + $incidentCommentUpdate.Message | Should -Be "UpdateIncidentCommentPSTest" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..44b169165908 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,187 @@ +{ + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:19:21.3879941Z\",\n \"queryStartTime\": \"2021-12-12T02:19:21.3875305Z\",\n \"queryEndTime\": \"2021-12-11T02:19:21.3877395Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "271" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1177" ], + "x-ms-request-id": [ "d05bbaef-e156-4da8-80c7-121f113af754" ], + "x-ms-correlation-request-id": [ "d05bbaef-e156-4da8-80c7-121f113af754" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021913Z:d05bbaef-e156-4da8-80c7-121f113af754" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1088" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"name\":\"e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"etag\":\"\\\"6b02f1f3-0000-0100-0000-61b55c210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2021-12-12T02:19:13.2559774+00:00\",\"updated\":\"2021-12-12T02:19:13+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:19:21.3879941+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-12T02:19:21.3875305+00:00\",\"queryEndTime\":\"2021-12-11T02:19:21.3877395+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "dbdd9fe0-d935-476e-b949-202e117f6649" ], + "x-ms-correlation-request-id": [ "dbdd9fe0-d935-476e-b949-202e117f6649" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021913Z:dbdd9fe0-d935-476e-b949-202e117f6649" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77\",\"name\":\"defc1116-f142-4647-a377-6869110f6e77\",\"etag\":\"\\\"3c00f395-0000-0100-0000-61b55c210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"relatedResourceName\":\"e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c61a86c4-1839-4800-b41e-6a232283462e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c61a86c4-1839-4800-b41e-6a232283462e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:19:22.5675905Z\",\n \"queryStartTime\": \"2021-12-12T02:19:22.5673080Z\",\n \"queryEndTime\": \"2021-12-11T02:19:22.5674628Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "271" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1176" ], + "x-ms-request-id": [ "3b119088-390b-44d6-b71a-f2aecac50942" ], + "x-ms-correlation-request-id": [ "3b119088-390b-44d6-b71a-f2aecac50942" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:3b119088-390b-44d6-b71a-f2aecac50942" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1087" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\",\"name\":\"c61a86c4-1839-4800-b41e-6a232283462e\",\"etag\":\"\\\"6b02f3f3-0000-0100-0000-61b55c220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2021-12-12T02:19:14.2335643+00:00\",\"updated\":\"2021-12-12T02:19:14+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:19:22.5675905+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-12T02:19:22.567308+00:00\",\"queryEndTime\":\"2021-12-11T02:19:22.5674628+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "344" ], + "x-ms-client-request-id": [ "39c3accf-62d3-4018-b97d-504a21758816" ], + "CommandName": [ "Get-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "x-ms-correlation-request-id": [ "7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"name\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"relatedResourceName\":\"f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "x-ms-correlation-request-id": [ "88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"name\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"etag\":\"\\\"3c000296-0000-0100-0000-61b55c220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\",\"relatedResourceName\":\"c61a86c4-1839-4800-b41e-6a232283462e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..926389139c3b --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,36 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelIncidentRelation' { + It 'UpdateExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incidentRelation = Update-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentRelationIncidentId -RelationName $env.UpdateincidentRelationId -RelatedResourceId $bookmark.Id + $incidentRelation.RelatedResourceId | should -be $bookmark.id + } + + It 'UpdateViaIdentityExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateViaIdincidentRelationIncidentId -RelationName $env.UpdateViaIdincidentRelationId + $incidentRelationUpdate = Update-AzSentinelIncidentRelation -InputObject $IncidentRelation -RelatedResourceId $bookmark.Id + $incidentRelationUpdate.RelatedResourceId | should -be $bookmark.id + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json new file mode 100644 index 000000000000..5fa3de5c818e --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json @@ -0,0 +1,125 @@ +{ + "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "353" ], + "x-ms-client-request-id": [ "52b982d6-4a65-43ef-a2c7-830ed2d49deb" ], + "CommandName": [ "get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11917" ], + "x-ms-request-id": [ "ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "x-ms-correlation-request-id": [ "ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021959Z:ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:59 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "785" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "isContentBase64": false + } + }, + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "354" ], + "x-ms-client-request-id": [ "1b1a5f23-3c84-4709-8959-99c92cdd5ff7" ], + "CommandName": [ "Get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11916" ], + "x-ms-request-id": [ "79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "x-ms-correlation-request-id": [ "79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T022000Z:79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:59 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "383" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "isContentBase64": false + } + }, + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "357" ], + "x-ms-client-request-id": [ "3f577564-30c0-4629-8bf1-1a2da7453d06" ], + "CommandName": [ "get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11914" ], + "x-ms-request-id": [ "14a48316-711a-4459-834c-a24190ab3126" ], + "x-ms-correlation-request-id": [ "14a48316-711a-4459-834c-a24190ab3126" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T022001Z:14a48316-711a-4459-834c-a24190ab3126" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:20:00 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "401" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 new file mode 100644 index 000000000000..43d3de433d63 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelSetting')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelSetting.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelSetting' { + It 'UpdateExpanded' { + Update-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName Anomalies -Disabled + $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $sttings.Name | Should -Not -Contain "Anomalies" + } + + It 'UpdateViaIdentityExpanded' { + $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName EyesOn + Update-AzSentinelSetting -InputObject $setting -Disabled + $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $sttings.Name | Should -Not -Contain "EyesOn" + } +} diff --git a/src/SecurityInsights/test/common.ps1 b/src/SecurityInsights/test/common.ps1 new file mode 100644 index 000000000000..edffa16c4fbd --- /dev/null +++ b/src/SecurityInsights/test/common.ps1 @@ -0,0 +1,552 @@ +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- +function Start-WaitForData($seconds) { + $doneDT = (Get-Date).AddSeconds($seconds) + while($doneDT -gt (Get-Date)) { + $secondsLeft = $doneDT.Subtract((Get-Date)).TotalSeconds + $percent = ($seconds - $secondsLeft) / $seconds * 100 + Write-Progress -Activity "Sleeping" -Status "Sleeping..." -SecondsRemaining $secondsLeft -PercentComplete $percent + [System.Threading.Thread]::Sleep(500) + } + Write-Progress -Activity "Sleeping" -Status "Sleeping..." -SecondsRemaining 0 -Completed +} + +Function Write-OMSLogfile { + <# + .SYNOPSIS + Inputs a hashtable, date and workspace type and writes it to a Log Analytics Workspace. + .DESCRIPTION + Given a value pair hash table, this function will write the data to an OMS Log Analytics workspace. + Certain variables, such as Customer ID and Shared Key are specific to the OMS workspace data is being written to. + This function will not write to multiple OMS workspaces. BuildSignature and post-analytics function from Microsoft documentation + at https://docs.microsoft.com/azure/log-analytics/log-analytics-data-collector-api + .PARAMETER DateTime + date and time for the log. DateTime value + .PARAMETER Type + Name of the logfile or Log Analytics "Type". Log Analytics will append _CL at the end of custom logs String Value + .PARAMETER LogData + A series of key, value pairs that will be written to the log. Log file are unstructured but the key should be consistent + withing each source. + .INPUTS + The parameters of data and time, type and logdata. Logdata is converted to JSON to submit to Log Analytics. + .OUTPUTS + The Function will return the HTTP status code from the Post method. Status code 200 indicates the request was received. + .NOTES + Version: 2.0 + Author: Travis Roberts + Creation Date: 7/9/2018 + Purpose/Change: Crating a stand alone function + #> + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [datetime]$dateTime, + [parameter(Mandatory = $true, Position = 1)] + [string]$type, + [Parameter(Mandatory = $true, Position = 2)] + [psobject]$logdata, + [Parameter(Mandatory = $true, Position = 3)] + [string]$CustomerID, + [Parameter(Mandatory = $true, Position = 4)] + [string]$SharedKey + ) + Write-Verbose -Message "DateTime: $dateTime" + Write-Verbose -Message ('DateTimeKind:' + $dateTime.kind) + Write-Verbose -Message "Type: $type" + write-Verbose -Message "LogData: $logdata" + + # Supporting Functions + # Function to create the auth signature + Function BuildSignature ($CustomerID, $SharedKey, $Date, $ContentLength, $Method, $ContentType, $Resource) { + $xheaders = 'x-ms-date:' + $Date + $stringToHash = $Method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $Resource + $bytesToHash = [text.Encoding]::UTF8.GetBytes($stringToHash) + $keyBytes = [Convert]::FromBase64String($SharedKey) + $sha256 = New-Object System.Security.Cryptography.HMACSHA256 + $sha256.key = $keyBytes + $calculateHash = $sha256.ComputeHash($bytesToHash) + $encodeHash = [convert]::ToBase64String($calculateHash) + $authorization = 'SharedKey {0}:{1}' -f $CustomerID, $encodeHash + return $authorization + } + # Function to create and post the request + Function PostLogAnalyticsData ($CustomerID, $SharedKey, $Body, $Type) { + $method = "POST" + $contentType = 'application/json' + $resource = '/api/logs' + $rfc1123date = ($dateTime).ToString('r') + $ContentLength = $Body.Length + $signature = BuildSignature ` + -customerId $CustomerID ` + -sharedKey $SharedKey ` + -date $rfc1123date ` + -contentLength $ContentLength ` + -method $method ` + -contentType $contentType ` + -resource $resource + $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01" + Write-Output "LA_URI : $uri" + $headers = @{ + "Authorization" = $signature; + "Log-Type" = $type; + "x-ms-date" = $rfc1123date + "time-generated-field" = $dateTime + } + $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $Body -UseBasicParsing + Write-Verbose -message ('Post Function Return Code ' + $response.statuscode) + return $response.statuscode + } + + # Check if time is UTC, Convert to UTC if not. + # $dateTime = (Get-Date) + if ($dateTime.kind.tostring() -ne 'Utc') { + $dateTime = $dateTime.ToUniversalTime() + Write-Verbose -Message $dateTime + } + #Build the JSON file + $logMessage = ($logdata | ConvertTo-Json -Depth 20) + + #Submit the data + $returnCode = PostLogAnalyticsData -CustomerID $CustomerID -SharedKey $SharedKey -Body $logMessage -Type $type + Write-Verbose -Message "Post Statement Return Code $returnCode" + return $returnCode +} + + +Function SendToLogA ($eventsTableName, $EventsTableFile, $CustomerId, $SharedKey ) { + $eventsData = Import-Csv $EventsTableFile + + #Test Size; Log A limit is 30MB + $tempdata = @() + $tempDataSize = 0 + + if ((($eventsData | Convertto-json -depth 20).Length) -gt 25MB) { + Write-Host "Upload is over 25MB, needs to be split" + foreach ($record in $eventsData) { + $tempdata += $record + $tempDataSize += ($record | ConvertTo-Json -depth 20).Length + if ($tempDataSize -gt 25MB) { + $postLAStatus = Write-OMSLogfile -dateTime (Get-Date) -type $eventsTableName -logdata $tempdata -CustomerID $CustomerId -SharedKey $SharedKey + write-Host "Sending data = $TempDataSize" + $tempdata = $null + $tempdata = @() + $tempDataSize = 0 + } + } + Write-Host "Sending left over data = $Tempdatasize" + $postLAStatus = Write-OMSLogfile -dateTime (Get-Date) -type $eventsTableName -logdata $tempdata -CustomerID $CustomerId -SharedKey $SharedKey + } + Else { + $postLAStatus = Write-OMSLogfile -dateTime (Get-Date) -type $eventsTableName -logdata $eventsData -CustomerID $CustomerId -SharedKey $SharedKey + } + return $postLAStatus +} + +Function Prepare-LogATables{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [datetime]$SubscriptionId, + [parameter(Mandatory = $true, Position = 1)] + [string]$ResourceGroup, + [Parameter(Mandatory = $true, Position = 2)] + [psobject]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 3)] + [psobject]$Tables + + ) + + ForEach($Table in $Tables){ + $tableParams = @' +{ + "properties": { + "schema": { + "name": "LAQueryLogs", + "columns": [ + ] + } + } +} +'@ + Invoke-AzRestMethod -Path "/subscriptions/$SubscriptionId/resourcegroups/$ResourceGroup/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/LAQueryLogs?api-version=2021-03-01-privatepreview" -Method PUT -payload $tableParams + + } +} + +Function Create-AlertRule{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$workspaceName + ) + $alertRuleName = $PSVerb + "AlertRule" + (RandomString -allChars $false -len 6) + $alertRuleId = (New-Guid).Guid + $alertRuleParams = Get-Content .\test\deployment-templates\alertRule\template.parameters.json | ConvertFrom-Json + $alertRuleParams.parameters.alertruleName.value = $alertRuleName + $alertRuleParams.parameters.alertRuleId.value = $alertRuleId + $alertRuleParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\alertRule\template.parameters.json -Value (ConvertTo-Json $alertRuleParams) + $TemplateFile = (Get-ChildItem $TemplatePath\alertRule\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\alertRule\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRule") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+"AlertRuleName"), $alertRuleName) + $null = $env.Add(($PSVerb+"AlertRuleId"), $alertRuleId) + } +} + +Function Create-AlertRuleAction{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$logicAppResourceId, + [Parameter(Mandatory = $true, Position = 3)] + [string]$triggerUrl + + ) + $alertRuleActionRuleId = (New-Guid).Guid + $alertRuleActionRuleName = $PSVerb + "alertRuleActionRuleName" + (RandomString -allChars $false -len 6) + $alertRuleActionId = (New-Guid).Guid + $alertRuleActionParams = Get-Content .\test\deployment-templates\alertRuleAction\template.parameters.json | ConvertFrom-Json + $alertRuleActionParams.parameters.alertRuleActionRuleId.value = $alertRuleActionRuleId + $alertRuleActionParams.parameters.alertRuleActionRuleName.value = $alertRuleActionRuleName + $alertRuleActionParams.parameters.alertRuleActionId.value = $alertRuleActionId + $alertRuleActionParams.parameters.workspaceName.value = $workspaceName + $alertRuleActionParams.parameters.logicAppResourceId.value = $logicAppResourceId + $alertRuleActionParams.parameters.triggerUrl.value = $triggerUrl + set-content -Path .\test\deployment-templates\alertRuleAction\template.parameters.json -Value (ConvertTo-Json $alertRuleActionParams) + $TemplateFile = (Get-ChildItem $TemplatePath\alertRuleAction\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\alertRuleAction\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRuleAction") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+"alertRuleActionRuleId"), $alertRuleActionRuleId) + $null = $env.Add(($PSVerb+"alertRuleActionRuleName"), $alertRuleActionRuleName) + $null = $env.Add(($PSVerb+"AlertRuleActionId"), $alertRuleActionId) + } +} + +Function Create-AutomationRule{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$logicAppResourceId + + ) + $automationRuleName = $PSVerb+"AutomationRule"+ (RandomString -allChars $false -len 6) + $automationRuleId = (New-Guid).Guid + $automationRuleParams = Get-Content .\test\deployment-templates\automationRule\template.parameters.json | ConvertFrom-Json + $automationRuleParams.parameters.automationRuleName.value = $automationRuleName + $automationRuleParams.parameters.automationRuleId.value = $automationRuleId + $automationRuleParams.parameters.workspaceName.value = $workspaceName + $automationRuleParams.parameters.logicAppResourceId.value = $logicAppResourceId + set-content -Path .\test\deployment-templates\automationRule\template.parameters.json -Value (ConvertTo-Json $automationRuleParams) + $TemplateFile = (Get-ChildItem $TemplatePath\automationRule\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\automationRule\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AutomationRule") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'AutomationRule'), $automationRuleName) + $null = $env.Add(($PSVerb+'AutomationRuleId'), $automationRuleId) + } +} + +Function Create-Bookmark{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $bookmarkName = $PSVerb+"bookmark"+ (RandomString -allChars $false -len 6) + $bookmarkId = (New-Guid).Guid + $bookmarkParams = Get-Content .\test\deployment-templates\bookmark\template.parameters.json | ConvertFrom-Json + $bookmarkParams.parameters.bookmarkName.value = $bookmarkName + $bookmarkParams.parameters.bookmarkId.value = $bookmarkId + $bookmarkParams.parameters.workspaceName.value = $workspaceName + $bookmarkParams.parameters.queryStartTime.value = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $bookmarkParams.parameters.queryEndTime.value = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + set-content -Path .\test\deployment-templates\bookmark\template.parameters.json -Value (ConvertTo-Json $bookmarkParams) + $TemplateFile = (Get-ChildItem $TemplatePath\bookmark\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\bookmark\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"bookmark") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'BookmarkName'), $bookmarkName) + $null = $env.Add(($PSVerb+'BookmarkId'), $bookmarkId) + } + # workaround using API to create bookmarks. + #$queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + #$queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + #$uri = "https://management.azure.com/subscriptions/"+$env.SubscriptionId+"/resourceGroups/"+$env.resourceGroupName+"/providers/Microsoft.OperationalInsights/workspaces/"+$env.workspaceName+"/providers/Microsoft.SecurityInsights/bookmarks/"+$bookmarkId+"?api-version=2020-01-01" + #$token = ConvertTo-SecureString -String ((Get-AzAccessToken).Token) -AsPlainText + #$body = @{ + # "properties" = @{ + # "displayName" = "$bookmarkName" + # "labels" = @( "asptest" ) + # "notes" = "Notes go here" + # "query" = "SecurityEvent\n| take 1" + # "queryStartTime" = "$queryStartTime" + # "queryEndTime" = "$queryEndTime" + # "eventTime" = "$queryEndTime" + # } + #} + #$result = Invoke-RestMethod -Uri $uri -Method PUT -Authentication Bearer -Token $token -Body ($body | ConvertTo-Json) +} + +Function Create-BookmarkRelation{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $bookmarkRelationName = $PSVerb + "bookmarkRelation"+ (RandomString -allChars $false -len 6) + $bookmarkRelationId = (New-Guid).Guid + $bookmarkRelationBookmarkId = (New-Guid).Guid + $bookmarkRelationBookmarkName = $PSVerb + "bookmarkRelationBookmarkName"+ (RandomString -allChars $false -len 6) + $bookmarkRelationIncidentId = (New-Guid).Guid + $bookmarkRelationIncidentName = $PSVerb + "bookmarkRelationIncidentName"+ (RandomString -allChars $false -len 6) + $bookmarkRelationParams = Get-Content .\test\deployment-templates\bookmarkRelation\template.parameters.json | ConvertFrom-Json + $bookmarkRelationParams.parameters.bookmarkRelationId.value = $bookmarkRelationId + $bookmarkRelationParams.parameters.bookmarkRelationBookmarkId.value = $bookmarkRelationBookmarkId + $bookmarkRelationParams.parameters.bookmarkRelationBookmarkName.value = $bookmarkRelationBookmarkName + $bookmarkRelationParams.parameters.queryStartTime.value = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $bookmarkRelationParams.parameters.queryEndTime.value = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $bookmarkRelationParams.parameters.bookmarkRelationIncidentId.value = $bookmarkRelationIncidentId + $bookmarkRelationParams.parameters.bookmarkRelationIncidentName.value = $bookmarkRelationIncidentName + $bookmarkRelationParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\bookmarkRelation\template.parameters.json -Value (ConvertTo-Json $bookmarkRelationParams) + $TemplateFile = (Get-ChildItem $TemplatePath\bookmarkRelation\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\bookmarkRelation\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"BookmarkRelation") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'BookmarkRelationName'), $bookmarkRelationName) + $null = $env.Add(($PSVerb+'BookmarkRelationId'), $bookmarkRelationId) + $null = $env.Add(($PSVerb+'bookmarkRelationBookmarkId'), $bookmarkRelationBookmarkId) + $null = $env.Add(($PSVerb+'bookmarkRelationBookmarkName'), $bookmarkRelationBookmarkName) + $null = $env.Add(($PSVerb+'BookmarkRelationIncidentId'), $bookmarkRelationIncidentId) + $null = $env.Add(($PSVerb+'bookmarkRelationIncidentName'), $bookmarkRelationIncidentName) + } +} + +Function Create-EntityQuery{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $entityQueryActivityName = $PSVerb+"entityQueryActivity"+ (RandomString -allChars $false -len 6) + $entityQueryActivityId = (New-Guid).Guid + $entityQueryParams = Get-Content .\test\deployment-templates\entityQuery\template.parameters.json | ConvertFrom-Json + $entityQueryParams.parameters.entityQueryActivityId.value = $entityQueryActivityId + $entityQueryParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\entityQuery\template.parameters.json -Value (ConvertTo-Json $entityQueryParams) + $TemplateFile = (Get-ChildItem $TemplatePath\entityQuery\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\entityQuery\template.parameters.json).FullName + # Bug Sent to Aviv + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"entityQuery") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'entityQueryActivityName'), $entityQueryActivityName) + $null = $env.Add(($PSVerb+'entityQueryActivityId'), $entityQueryActivityId) + } +} + +Function Create-Incident{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $incidentName = $PSVerb+"incident"+ (RandomString -allChars $false -len 6) + $incidentId = (New-Guid).Guid + $incidentParams = Get-Content .\test\deployment-templates\incident\template.parameters.json | ConvertFrom-Json + $incidentParams.parameters.incidentId.value = $incidentId + $incidentParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\incident\template.parameters.json -Value (ConvertTo-Json $incidentParams) + $TemplateFile = (Get-ChildItem $TemplatePath\incident\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\incident\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incident") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'incidentName'), $incidentName) + $null = $env.Add(($PSVerb+'incidentId'), $incidentId) + } +} + +Function Create-IncidentComment{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $incidentCommentName = $PSVerb+"incidentComment"+ (RandomString -allChars $false -len 6) + $incidentCommentId = (New-Guid).Guid + $incidentCommentIncidentId = (New-Guid).Guid + $incidentCommentParams = Get-Content .\test\deployment-templates\incidentComment\template.parameters.json | ConvertFrom-Json + $incidentCommentParams.parameters.incidentCommentIncidentId.value = $incidentCommentIncidentId + $incidentCommentParams.parameters.incidentCommentId.value = $incidentCommentId + $incidentCommentParams.parameters.incidentCommentName.value = $incidentCommentName + $incidentCommentParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\incidentComment\template.parameters.json -Value (ConvertTo-Json $incidentCommentParams) + $TemplateFile = (Get-ChildItem $TemplatePath\incidentComment\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\incidentComment\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentComment") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'incidentCommentName'), $incidentCommentName) + $null = $env.Add(($PSVerb+'incidentCommentId'), $incidentCommentId) + $null = $env.Add(($PSVerb+'incidentCommentIncidentId'), $incidentCommentIncidentId) + } +} + +Function Create-IncidentRelation{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $incidentRelationName = $PSVerb+"incidentRelationName"+ (RandomString -allChars $false -len 6) + $incidentRelationId = (New-Guid).Guid + $incidentRelationIncidentName = $PSVerb+"incidentRelationIncidentName"+ (RandomString -allChars $false -len 6) + $incidentRelationIncidentId = (New-Guid).Guid + $incidentRelationBookmarkName = $PSVerb+"incidentRelationBookmarkName"+ (RandomString -allChars $false -len 6) + $incidentRelationBookmarkId = (New-Guid).Guid + $incidentRelationParams = Get-Content .\test\deployment-templates\incidentRelation\template.parameters.json | ConvertFrom-Json + $incidentRelationParams.parameters.incidentRelationBookmarkId.value = $incidentRelationBookmarkId + $incidentRelationParams.parameters.incidentRelationBookmarkName.value = $incidentRelationBookmarkName + $incidentRelationParams.parameters.incidentRelationIncidentId.value = $incidentRelationIncidentId + $incidentRelationParams.parameters.incidentRelationIncidentName.value = $incidentRelationIncidentName + $incidentRelationParams.parameters.queryStartTime.value = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $incidentRelationParams.parameters.queryEndTime.value = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $incidentRelationParams.parameters.incidentRelationId.value = $incidentRelationId + $incidentRelationParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\incidentRelation\template.parameters.json -Value (ConvertTo-Json $incidentRelationParams) + $TemplateFile = (Get-ChildItem $TemplatePath\incidentRelation\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\incidentRelation\template.parameters.json).FullName + #Bug due to bookmark + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentRelation") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'incidentRelationName'), $incidentRelationName) + $null = $env.Add(($PSVerb+'incidentRelationId'), $incidentRelationId) + $null = $env.Add(($PSVerb+'incidentRelationIncidentId'), $incidentRelationIncidentId) + $null = $env.Add(($PSVerb+'incidentRelationIncidentName'), $incidentRelationIncidentName) + $null = $env.Add(($PSVerb+'incidentRelationBookmarkId'), $incidentRelationBookmarkId) + $null = $env.Add(($PSVerb+'incidentRelationBookmarkName'), $incidentRelationBookmarkName) + } +} + +Function Create-SourceControl{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$Url + ) + $sourceControlName = $PSVerb+"sourceControl"+ (RandomString -allChars $false -len 6) + $sourceControlId = (New-Guid).Guid + $sourceControlParams = Get-Content .\test\deployment-templates\sourceControl\template.parameters.json | ConvertFrom-Json + $sourceControlParams.parameters.sourceControlId.value = $sourceControlId + $sourceControlParams.parameters.sourceControlName.value = $sourceControlName + $sourceControlParams.parameters.url.value = $url + $sourceControlParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\sourceControl\template.parameters.json -Value (ConvertTo-Json $sourceControlParams) + $TemplateFile = (Get-ChildItem $TemplatePath\sourceControl\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\sourceControl\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"sourceControl") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'sourceControlName'), $sourceControlName) + $null = $env.Add(($PSVerb+'sourceControlId'), $sourceControlId) + $null = $env.Add(($PSVerb+'sourceControlurl'), $url) + } +} + +Function Create-ThreatIntelligenceIndicator{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$IP + ) + $threatIntelligenceIndicatorName = $PSVerb+"threatIntelligenceIndicator"+ (RandomString -allChars $false -len 6) + $threatIntelligenceIndicatorId = (New-Guid).Guid + $threatIntelligenceIndicatorDate = (get-date).ToUniversalTime() | Get-Date -Format "ddd, dd MMM yyyy hh:00:00 'GMT'" + $threatIntelligenceIndicatorParams = Get-Content .\test\deployment-templates\threatIntelligenceIndicator\template.parameters.json | ConvertFrom-Json + $threatIntelligenceIndicatorParams.parameters.threatIntelligenceIndicatorId.value = $threatIntelligenceIndicatorId + $threatIntelligenceIndicatorParams.parameters.threatIntelligenceIndicatorName.value = $threatIntelligenceIndicatorName + $threatIntelligenceIndicatorParams.parameters.ip.value = $IP + $threatIntelligenceIndicatorParams.parameters.threatIntelligenceIndicatorDate.value = $threatIntelligenceIndicatorDate + $threatIntelligenceIndicatorParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\threatIntelligenceIndicator\template.parameters.json -Value (ConvertTo-Json $threatIntelligenceIndicatorParams) + $TemplateFile = (Get-ChildItem $TemplatePath\threatIntelligenceIndicator\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\threatIntelligenceIndicator\template.parameters.json).FullName + #ARM doesnt work use API + #$result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"threatIntelligenceIndicator") -ResourceGroupName $resourceGroupName + #if($result.ProvisioningState -eq "Succeeded"){ + # $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorName'), $threatIntelligenceIndicatorName) + # $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorId'), $threatIntelligenceIndicatorId) + # $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorIP'), $IP) + #} + $tiToken = (Get-AzAccessToken).Token + $tiHeaders = @{ + Authorization="Bearer $tiToken" + Content='application/json' + } + $tiBody = @{ + "kind" = "indicator" + "properties" = @{ + "confidence" = 0 + "threatTypes"= @( + "unknown" + ) + "displayName" = "$threatIntelligenceIndicatorName" + "pattern" = "[ipv4-addr:value = '$ip']" + "patternType" = "ipv4-addr" + "revoked" = $false + "validFrom" = "$threatIntelligenceIndicatorDate" + "validUntil" = $null + "source" = "Azure Sentinel" + "threatIntelligenceTags" = @() + } + } + $tiBody = $tiBody | Convertto-json + $uri = "https://management.azure.com/subscriptions/"+ $env.SubscriptionId + "/resourceGroups/" + $env.resourceGroupName + "/providers/Microsoft.OperationalInsights/workspaces/" + $env.workspaceName + "/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2021-09-01-preview" + $indicator = Invoke-RestMethod -Method POST -Uri $Uri -Headers $tiHeaders -body $tiBody -ContentType Application/json + #if($indicator.Kind -eq "indicator"){ + $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorName'), $threatIntelligenceIndicatorName) + $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorId'), ($indicator.Name)) + $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorIP'), $IP) + #} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/constants.json b/src/SecurityInsights/test/constants.json new file mode 100644 index 000000000000..e204ea31dadb --- /dev/null +++ b/src/SecurityInsights/test/constants.json @@ -0,0 +1,4 @@ +{ + "location" : "Central US", + "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e" +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRule/template.json b/src/SecurityInsights/test/deployment-templates/alertRule/template.json new file mode 100644 index 000000000000..aef1b4aa95f4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRule/template.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleName": { + "defaultValue": "alertRuleName", + "type": "String" + }, + "alertRuleId": { + "defaultValue": "alertRuleId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('alertRuleId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "description": "[concat(parameters('alertRuleName'), ' ', parameters('alertRuleId'))]", + "displayName": "[parameters('alertRuleName')]", + "enabled": true, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": false, + "groupByEntities": [], + "lookbackDuration": "PT5H", + "MatchingMethod": "AllEntities", + "reopenClosedIncident": false + } + }, + "query": "SecurityEvent\n| take 1", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Informational", + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ "Execution" ], + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json b/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json new file mode 100644 index 000000000000..e0ad7018fd73 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleName": { + "value": "UpdateViaIdAlertRuledgk4wi" + }, + "alertRuleId": { + "value": "6dde1054-1a0b-4c5a-a9a8-3587c76613a2" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json new file mode 100644 index 000000000000..eaca4a5c4a23 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleActionRuleId": { + "defaultValue": "alertRuleActionRuleId", + "type": "string" + }, + "alertRuleActionRuleName": { + "defaultValue": "alertRuleActionRuleName", + "type": "string" + }, + "alertRuleActionId": { + "defaultValue": "alertRuleActionId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + }, + "logicAppResourceId":{ + "defaultValue": "logicAppResourceId", + "type": "string" + }, + "triggerUrl": { + "defaultValue": "triggerUrl", + "type": "string" + } + }, + "variables": { + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('alertRuleActionRuleId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "description": "[concat(parameters('alertRuleActionRuleName'), ' ', parameters('alertRuleActionRuleId'))]", + "displayName": "[parameters('alertRuleActionRuleName')]", + "enabled": true, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": false, + "groupByEntities": [], + "lookbackDuration": "PT5H", + "MatchingMethod": "AllEntities", + "reopenClosedIncident": false + } + }, + "query": "SecurityEvent\n| take 1", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Informational", + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ "Execution" ], + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('alertRuleActionRuleId'), '/', parameters('alertRuleActionId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules/actions", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/alertRules', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('alertRuleActionRuleId'))]" ], + "properties": { + "logicAppResourceId": "[parameters('logicAppResourceId')]", + "triggerUri": "[parameters('triggerUrl')]" + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json new file mode 100644 index 000000000000..ed36ae3cec2d --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleActionRuleId": { + "value": "a555c523-e318-4501-bfe8-b9c6da354af7" + }, + "alertRuleActionRuleName": { + "value": "UpdateViaIdalertRuleActionRuleNameymswnj" + }, + "alertRuleActionId": { + "value": "34ec4b87-3f90-443e-9034-c32e77c5fb6e" + }, + "workspaceName": { + "value": "asptest8xu4wd" + }, + "logicAppResourceId": { + "value": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert" + }, + "triggerUrl": { + "value": "https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/authorization/template.json b/src/SecurityInsights/test/deployment-templates/authorization/template.json new file mode 100644 index 000000000000..ffe2c6c0bdb1 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/authorization/template.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ASIServicePrinicpal": { + "defaultValue": "ASIServicePrinicpal", + "type": "string" + } + }, + "variables": { + "roleAssignmentName": "[guid(parameters('ASIServicePrinicpal'), resourceGroup().id)]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2021-04-01-preview", + "name": "[variables('roleAssignmentName')]", + "properties": { + "roleDefinitionId": "[concat('/subscriptions/', subscription().id, '/', resourceGroup().name, '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", + "principalId": "[parameters('ASIServicePrinicpal')]" + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json b/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json new file mode 100644 index 000000000000..80cc3c6d007c --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ASIServicePrinicpal": { + "value": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/automationRule/template.json b/src/SecurityInsights/test/deployment-templates/automationRule/template.json new file mode 100644 index 000000000000..f5e91b749b48 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/automationRule/template.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "automationRuleName": { + "defaultValue": "automationRuleName", + "type": "string" + }, + "automationRuleId": { + "defaultValue": "automationRuleId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + }, + "logicAppResourceId":{ + "defaultValue": "logicAppResourceId", + "type": "string" + } + }, + "variables": { + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('automationRuleId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/automationRules", + "apiVersion": "2019-01-01-preview", + "properties": { + "actions": [ + { + "order": 1, + "actionType": "RunPlaybook", + "actionConfiguration": { + "logicAppResourceId": "[parameters('logicAppResourceId')]", + "tenantId": "[subscription().tenantId]" + } + } + ], + "displayName": "[parameters('automationRuleName')]", + "order": 1, + "triggeringLogic": { + "conditions": [], + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "expirationTimeUtc": null + } + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json b/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json new file mode 100644 index 000000000000..0b2f0d689dac --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "automationRuleName": { + "value": "UpdateViaIdAutomationRulezi05h4" + }, + "automationRuleId": { + "value": "61701d90-8353-4d61-b435-f9905a31142d" + }, + "workspaceName": { + "value": "asptest8xu4wd" + }, + "logicAppResourceId": { + "value": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/bookmark/template.json b/src/SecurityInsights/test/deployment-templates/bookmark/template.json new file mode 100644 index 000000000000..83bed78db2bf --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmark/template.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkName": { + "defaultValue": "bookmarkName", + "type": "String" + }, + "bookmarkId": { + "defaultValue": "bookmarkId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + }, + "queryStartTime": { + "defaultValue": "queryStartTime", + "type": "string" + }, + "queryEndTime": { + "defaultValue": "queryEndTime", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks", + "apiVersion": "2020-01-01", + "properties": { + "displayName": "[parameters('bookmarkName')]", + "labels": [ "asptest" ], + "notes": "Notes go here", + "query": "SigninLogs_CL", + "queryStartTime": "[parameters('queryStartTime')]", + "queryEndTime": "[parameters('queryEndTime')]", + "eventTime": "[parameters('queryEndTime')]", + "queryResult": "{\"TenantId\":\"6ad64079-1c3e-4672-bc2d-08df98ad5751\",\"SourceSystem\":\"RestAPI\",\"MG\":\"\",\"ManagementGroupName\":\"\",\"TimeGenerated\":\"2021-12-08T03:59:19.262Z\",\"Computer\":\"\",\"RawData\":\"\",\"ResourceId\":\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\",\"OperationName\":\"Sign-in activity\",\"OperationVersion\":\"1\",\"Category\":\"SignInLogs\",\"ResultType\":\"0\",\"ResultSignature\":\"None\",\"ResultDescription\":\"\",\"DurationMs\":0,\"CorrelationId\":\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\",\"Resource\":\"Microsoft.aadiam\",\"ResourceGroup\":\"Microsoft.aadiam\",\"ResourceProvider\":\"\",\"Identity_s\":\"Adele Vance\",\"Level\":\"4\",\"Location_s\":\"IL\",\"AlternateSignInName_s\":\"\",\"AppDisplayName_s\":\"Azure Portal\",\"AppId_g\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AuthenticationDetails_s\":\"[\\r\\n {\\r\\n \\\"authenticationStepDateTime\\\": \\\"2021-04-28T14:08:45.2213421+00:00\\\",\\r\\n \\\"authenticationMethod\\\": \\\"Previously satisfied\\\",\\r\\n \\\"succeeded\\\": true,\\r\\n \\\"authenticationStepResultDetail\\\": \\\"First factor requirement satisfied by claim in the token\\\",\\r\\n \\\"authenticationStepRequirement\\\": \\\"Primary authentication\\\",\\r\\n \\\"StatusSequence\\\": 0,\\r\\n \\\"RequestSequence\\\": 0\\r\\n }\\r\\n]\",\"AuthenticationMethodsUsed_s\":\"\",\"AuthenticationProcessingDetails_s\":\"[\\r\\n {\\r\\n \\\"key\\\": \\\"IsCAEToken\\\",\\r\\n \\\"value\\\": \\\"False\\\"\\r\\n }\\r\\n]\",\"AuthenticationRequirement_s\":\"singleFactorAuthentication\",\"AuthenticationRequirementPolicies_s\":\"[]\",\"ClientAppUsed_s\":\"Browser\",\"ConditionalAccessPolicies_dynamic_s\":\"[{\\\"enforcedSessionControls\\\":[],\\\"conditionsNotSatisfied\\\":0,\\\"enforcedGrantControls\\\":[],\\\"conditionsSatisfied\\\":0,\\\"displayName\\\":\\\"Exchange Online Requires Compliant Device\\\",\\\"result\\\":\\\"notEnabled\\\",\\\"id\\\":\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\"}]\",\"ConditionalAccessPolicies_string_s\":\"\",\"ConditionalAccessStatus_s\":\"notApplied\",\"CreatedDateTime_UTC__s\":\"4/28/2021, 2:08:45.221 PM\",\"DeviceDetail_dynamic_s\":\"{\\\"operatingSystem\\\":\\\"Windows 10\\\",\\\"deviceId\\\":\\\"\\\",\\\"browser\\\":\\\"Edge 90.0.818\\\"}\",\"DeviceDetail_string_s\":\"\",\"IsInteractive_s\":\"TRUE\",\"Id_g\":\"cfb68155-70f5-4e28-b046-0a3a7086c401\",\"IPAddress\":\"175.45.176.99\",\"IsRisky_s\":\"\",\"LocationDetails_dynamic_s\":\"{\\\"countryOrRegion\\\":\\\"IL\\\",\\\"geoCoordinates\\\":{\\\"longitude\\\":34.79964828491211,\\\"latitude\\\":32.02956008911133},\\\"state\\\":\\\"Tel Aviv\\\",\\\"city\\\":\\\"Azor\\\"}\",\"LocationDetails_string_s\":\"\",\"MfaDetail_dynamic_s\":\"{}\",\"MfaDetail_string_s\":\"\",\"NetworkLocationDetails_s\":\"[]\",\"OriginalRequestId_g\":\"cfb68155-70f5-4e28-b046-0a3a7086c401\",\"ProcessingTimeInMilliseconds_s\":\"3535\",\"RiskDetail_s\":\"none\",\"RiskEventTypes_s\":\"[]\",\"RiskEventTypes_V2_s\":\"[]\",\"RiskLevelAggregated_s\":\"none\",\"RiskLevelDuringSignIn_s\":\"none\",\"RiskState_s\":\"none\",\"ResourceDisplayName_s\":\"Windows Azure Service Management API\",\"ResourceIdentity_g\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"ServicePrincipalId_s\":\"\",\"ServicePrincipalName_s\":\"\",\"Status_dynamic_s\":\"{\\\"errorCode\\\":0}\",\"Status_string_s\":\"\",\"TokenIssuerName_s\":\"\",\"TokenIssuerType_s\":\"AzureAD\",\"UserAgent_s\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\",\"UserDisplayName_s\":\"Adele Vance\",\"UserId_g\":\"9b117c67-170e-4aed-9702-658b3fddc889\",\"UserPrincipalName_s\":\"adelev@m365x816222.onmicrosoft.com\",\"AADTenantId_g\":\"2ad3fc79-1859-42fa-9011-6f8df2251b22\",\"UserType_s\":\"Member\",\"FlaggedForReview_s\":\"\",\"SignInIdentifier_s\":\"\",\"SignInIdentifierType_s\":\"\",\"ResourceTenantId_g\":\"2ad3fc79-1859-42fa-9011-6f8df2251b22\",\"HomeTenantId_g\":\"2ad3fc79-1859-42fa-9011-6f8df2251b22\",\"Type_s\":\"SigninLogs\",\"AdditionalDetails_s\":\"\",\"InitiatedBy_s\":\"\",\"ResourceIdentity_s\":\"\",\"HomeTenantId_s\":\"\",\"Type\":\"SigninLogs_CL\",\"_ResourceId\":\"\"}" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json b/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json new file mode 100644 index 000000000000..70c0ce3ee6dc --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkName": { + "value": "Expandbookmarkq42uhy" + }, + "bookmarkId": { + "value": "b35d430d-02ac-4025-a10e-32cd2ffbe46b" + }, + "workspaceName": { + "value": "asptest8xu4wd" + }, + "queryStartTime": { + "Value": "2021-12-11T01:00:00.000Z" + }, + "queryEndTime": { + "Value": "2021-12-12T01:00:00.000Z" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json new file mode 100644 index 000000000000..bb2d5b77c1c0 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkRelationId": { + "defaultValue": "bookmarkRelationId", + "type": "string" + }, + "bookmarkRelationBookmarkId": { + "defaultValue": "bookmarkRelationBookmarkId", + "type": "string" + }, + "bookmarkRelationBookmarkName": { + "defaultValue": "bookmarkRelationBookmarkName", + "type": "string" + }, + "queryStartTime": { + "defaultValue": "queryStartTime", + "type": "string" + }, + "queryEndTime": { + "defaultValue": "queryEndTime", + "type": "string" + }, + "bookmarkRelationIncidentId": { + "defaultValue": "bookmarkRelationIncidentId", + "type": "string" + }, + "bookmarkRelationIncidentName": { + "defaultValue": "bookmarkRelationIncidentName", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkRelationIncidentId'))]", + "properties": { + "severity": "Informational", + "status": "New", + "title": "[parameters('bookmarkRelationIncidentName')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkRelationBookmarkId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks", + "apiVersion": "2020-01-01", + "properties": { + "displayName": "[parameters('bookmarkRelationBookmarkName')]", + "labels": [ "asptest" ], + "notes": "Notes go here", + "query": "SecurityEvent\n| take 1", + "queryStartTime": "[parameters('queryStartTime')]", + "queryEndTime": "[parameters('queryEndTime')]", + "eventTime": "[parameters('queryEndTime')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkRelationBookmarkId'), '/', parameters('bookmarkRelationId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks/relations", + "apiVersion": "2020-01-01", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('bookmarkRelationBookmarkId'))]", + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('bookmarkRelationIncidentId'))]" + ], + "properties": { + "relatedResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('bookmarkRelationIncidentId'))]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json new file mode 100644 index 000000000000..6f579cd722fa --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkRelationId": { + "value": "e2e68737-82b4-49f0-822f-f9196f65aac8" + }, + "bookmarkRelationBookmarkId": { + "value": "463b2e8b-17c1-48d6-94a3-7443b0ba2cbf" + }, + "bookmarkRelationBookmarkName": { + "value": "UpdateViaIdbookmarkRelationBookmarkName5modef" + }, + "queryStartTime": { + "value": "2021-12-11T01:00:00.000Z" + }, + "queryEndTime": { + "value": "2021-12-12T01:00:00.000Z" + }, + "bookmarkRelationIncidentId": { + "value": "6cbc4e33-d46b-4993-96e4-ecb0e44415cb" + }, + "bookmarkRelationIncidentName": { + "value": "UpdateViaIdbookmarkRelationIncidentName84x0ne" + }, + "workspaceName": { + "Value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/customData/alertRules.json b/src/SecurityInsights/test/deployment-templates/customData/alertRules.json new file mode 100644 index 000000000000..c010ad5fe9e4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/customData/alertRules.json @@ -0,0 +1,218 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string" + }, + "solarigateRuleGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "disabledRuleGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "mlRuleGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('solarigateRuleGuid'))]", + "kind": "Scheduled", + "apiVersion":"2021-03-01-preview", + "properties": { + "displayName": "Solorigate Network Beacon", + "description": "Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1", + "severity": "High", + "enabled": true, + "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(imDns \n | where isnotempty(Query)\n | where Query in~ (domains)\n | extend DNSName = Query\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (domains) \n | extend DNSName = Request_Name\n | extend IPCustomEntity = ClientIP \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ) \n )", + "queryFrequency": "PT5M", + "queryPeriod": "PT30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "CommandAndControl" + ], + "alertRuleTemplateName": "cecdbd4c-4902-403c-8d4b-32eb1efe460b", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AnyAlert", + "groupByEntities": [], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": null, + "customDetails": null, + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "DNSName" + } + ] + } + ], + "templateVersion": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('disabledRuleGuid'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.", + "severity": "Medium", + "enabled": true, + "query": "SigninLogs_CL\n | where ResultType == \"50057\" \n | where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \n applicationSet = makeset(AppDisplayName_s)\n by IPAddress, Type\n | order by disabledAccountLoginAttempts desc\n | join kind= leftouter (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n SigninLogs_CL\n | where ResultType == 0\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on IPAddress \n | where successfulAccountSigninCount != 0\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \n successfulAccountSigninCount, successfulAccountSigninSet, Type\n | order by disabledAccountLoginAttempts\n | extend timestamp = StartTime, IPCustomEntity = IPAddress", + "queryFrequency": "PT5M", + "queryPeriod": "PT30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "InitialAccess", + "Persistence" + ], + "alertRuleTemplateName": "500c103a-0319-4d56-8e99-3cec8d860757", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "groupByEntities": [ + "IP" + ], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": null, + "customDetails": null, + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('mlRuleGuid'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "displayName": "Malicious Inbox Rule - custom", + "description": "This rule is detecting on delete all traces of phishing email from user mailboxes", + "severity": "Medium", + "enabled": true, + "query": "let Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\nOfficeActivity_CL\r\n| where Operation_s =~ \"New-InboxRule\"\r\n| where Parameters_s has \"Deleted Items\" or Parameters_s has \"Junk Email\" \r\n| extend Events=todynamic(Parameters_s)\r\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n| where SubjectContainsWords has_any (Keywords)\r\nor BodyContainsWords has_any (Keywords)\r\nor SubjectOrBodyContainsWords has_any (Keywords)\r\n| extend ClientIPAddress = case( ClientIP_s has \".\", tostring(split(ClientIP_s,\":\")[0]), ClientIP_s has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP_s,\"]\")[0]))), ClientIP_s )\r\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n| extend RuleDetail = case(OfficeObjectId_s contains '/' , tostring(split(OfficeObjectId_s, '/')[-1]) , tostring(split(OfficeObjectId_s, '\\\\')[-1]))\r\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail", + "queryFrequency": "PT5M", + "queryPeriod": "PT30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "Persistence", + "DefenseEvasion" + ], + "alertRuleTemplateName": null, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT12H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Account" + ], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Malicious Inbox Rule, affected user {{UserId__s}}", + "alertDescriptionFormat": null, + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "customDetails": null, + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "UserId__s" + } + ] + } + ] + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json b/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json new file mode 100644 index 000000000000..8cadfedfa18e --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "solarigateRuleGuid": { + "value": "af03fc0e-d33f-447a-8397-d60726aa92c5" + }, + "disabledRuleGuid": { + "value": "10a698ca-8310-4b90-a86e-2f43fe285e56" + }, + "mlRuleGuid": { + "value": "02874339-f9a1-4ced-bdaf-44b3d8eb57a6" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/dataConnector/template.json b/src/SecurityInsights/test/deployment-templates/dataConnector/template.json new file mode 100644 index 000000000000..c8a07c48c94c --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/dataConnector/template.json @@ -0,0 +1,55 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataconnectorId": { + "defaultValue": "dataConnectorId", + "type": "string" + }, + "updateDataConnectorId": { + "defaultValue": "updateDataConnectorId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('dataconnectorId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2021-03-01-preview", + "kind": "AzureSecurityCenter", + "properties": { + "dataTypes": { + "alerts": { + "state": "Enabled" + } + }, + "subscriptionId": "[subscription().subscriptionId]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('updateDataConnectorId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2021-03-01-preview", + "kind": "Office365", + "properties": { + "dataTypes": { + "exchange": { + "state": "Enabled" + }, + "sharepoint": { + "state": "Disabled" + }, + "teams": { + "state": "Disabled" + } + }, + "tenantId": "[subscription().tenantId]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json b/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json new file mode 100644 index 000000000000..221eaba78c18 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataConnectorId": { + "value": "88da8507-46cb-4c34-9cf3-189e58b34c9e" + }, + "updateDataConnectorId": { + "value": "b4b8bb52-2917-4179-a28d-fb197dc52aa6" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/entityQuery/template.json b/src/SecurityInsights/test/deployment-templates/entityQuery/template.json new file mode 100644 index 000000000000..7817996ee8b3 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/entityQuery/template.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "entityQueryActivityId": { + "defaultValue": "entityQueryActivityId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('entityQueryActivityId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/entityQueries", + "apiVersion": "2021-03-01-preview", + "kind": "Activity", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by ", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "enabled": true + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json b/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json new file mode 100644 index 000000000000..70a2d4ab57d5 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "entityQueryActivityId": { + "value": "fb33bcbe-0bc0-433f-9910-e474dbfab616" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/incident/template.json b/src/SecurityInsights/test/deployment-templates/incident/template.json new file mode 100644 index 000000000000..7828babbc39f --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incident/template.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentId": { + "defaultValue": "incidentId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentId'))]", + "properties": { + "severity": "Informational", + "status": "New", + "title": "IncidentTest" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json new file mode 100644 index 000000000000..4b5320dae2da --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentId": { + "value": "85b206c3-bf60-48e0-b492-71a79bb8503a" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/incidentComment/template.json b/src/SecurityInsights/test/deployment-templates/incidentComment/template.json new file mode 100644 index 000000000000..b736228013f4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentComment/template.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentCommentIncidentId": { + "defaultValue": "incidentCommentIncidentId", + "type": "string" + }, + "incidentCommentId": { + "defaultValue": "incidentCommentId", + "type": "string" + }, + "incidentCommentName": { + "defaultValue": "incidentCommentName", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentCommentIncidentId'))]", + "properties": { + "severity": "Informational", + "status": "New", + "title": "[parameters('incidentCommentName')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentCommentIncidentId'), '/', parameters('incidentCommentId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents/comments", + "apiVersion": "2021-04-01", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentCommentIncidentId'))]" + ], + "properties": { + "message": "[parameters('incidentCommentName')]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json new file mode 100644 index 000000000000..0dcdaac82e21 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentCommentIncidentId": { + "value": "aa0c1725-78eb-4c1e-87b8-9dd801ebf670" + }, + "incidentCommentId": { + "value": "c3bc7c2d-a384-4bb5-8fde-e2ee44fc18be" + }, + "incidentCommentName": { + "value": "UpdateViaIdincidentCommentoq4cge" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/incidentRelation/template.json b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.json new file mode 100644 index 000000000000..1b67f6ad4d2b --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentRelationBookmarkId": { + "defaultValue": "incidentRelationBookmarkId", + "type": "string" + }, + "incidentRelationBookmarkName": { + "defaultValue": "incidentRelationBookmarkName", + "type": "string" + }, + "queryStartTime": { + "defaultValue": "queryStartTime", + "type": "string" + }, + "queryEndTime": { + "defaultValue": "queryEndTime", + "type": "string" + }, + "incidentRelationIncidentId": { + "defaultValue": "incidentRelationIncidentId", + "type": "string" + }, + "incidentRelationIncidentName": { + "defaultValue": "incidentRelationIncidentName", + "type": "string" + }, + "incidentRelationId": { + "defaultValue": "incidentRelationId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentRelationBookmarkId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks", + "apiVersion": "2020-01-01", + "properties": { + "displayName": "[parameters('incidentRelationBookmarkName')]", + "labels": [ "asptest" ], + "notes": "Notes go here", + "query": "SecurityEvent\n| take 1", + "queryStartTime": "[parameters('queryStartTime')]", + "queryEndTime": "[parameters('queryEndTime')]", + "eventTime": "[parameters('queryEndTime')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentRelationIncidentId'))]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationBookmarkId'))]" + ], + "properties": { + "severity": "Informational", + "status": "New", + "title": "[parameters('incidentRelationIncidentName')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentRelationIncidentId'), '/', parameters('incidentRelationId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents/relations", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationIncidentId'))]", + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationBookmarkId'))]" + ], + "properties": { + "relatedResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationBookmarkId'))]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json new file mode 100644 index 000000000000..cacae2c29971 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentRelationBookmarkId": { + "value": "f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a" + }, + "incidentRelationBookmarkName": { + "value": "UpdateViaIdincidentRelationBookmarkNamehd50fa" + }, + "queryStartTime": { + "value": "2021-12-11T01:00:00.000Z" + }, + "queryEndTime": { + "value": "2021-12-12T01:00:00.000Z" + }, + "incidentRelationIncidentId": { + "value": "43aedae6-3726-41c1-b0e8-9876df66aa2d" + }, + "incidentRelationIncidentName": { + "value": "UpdateViaIdincidentRelationIncidentNameewut32" + }, + "incidentRelationId": { + "value": "b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/metadata/template.json b/src/SecurityInsights/test/deployment-templates/metadata/template.json new file mode 100644 index 000000000000..fed3b9ae0fed --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/metadata/template.json @@ -0,0 +1,558 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Nikhil Tripathi - v-ntripathi@microsoft.com", + "comments": "Solution template for ZeroTrust(TIC3.0)" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "minLength": 1, + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "Region to deploy solution resources" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "ZeroTrust(TIC3.0)", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic5-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic6-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic7-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic8-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic9-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic10-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic11-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + } + }, + "variables": { + "ZeroTrustTIC3.0_workbook": "ZeroTrustTIC3.0_workbook", + "_ZeroTrustTIC3.0_workbook": "[variables('ZeroTrustTIC3.0_workbook')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules')]", + "sourceId": "azuresentinel.azure-sentinel-solution-zerotrust", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "name": "pid-48509547-1f22-4bce-9634-1fa50d662519-partnercenter", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/0xxx6arkaS)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# Zero Trust (TIC3.0) Solution\\n---\\nThis workbook enables Security Governance Risk Compliance Professionals, SecOps Analysts, and MSSPs to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. For more information, see the 💡[Microsoft Zero Trust Model](https://www.microsoft.com/security/business/zero-trust), 💡[Trusted Internet Connections: Core Guidance Documents](https://www.cisa.gov/trusted-internet-connections). The Azure Sentinel Zero Trust (TIC 3.0) Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the 💡 [Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/trusted-internet-connections). This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. \"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"21\",\"name\":\"Azure Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Assessment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Files\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Files\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Email\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Web\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Web\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Networking\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Networking\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"title\":\"TIC 3.0 Capabilities\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"37\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUniversalSecurityCapabilitiesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Universal Security Capabilities\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isFilesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Files\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"67de7a24-1840-4fc5-94d5-a6b5d7520a7c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEmailVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Email\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isWebVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Web\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Networking\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"38d5c68b-fce9-479b-b8dd-acb7a97d85e7\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"5\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Resiliency\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resiliency\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"DNS\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Enterprise\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Data Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data Protection\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"37\",\"name\":\"query - 109\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResiliencyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resiliency\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"62d67234-8fb2-43e6-b5d2-945692493431\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9cb339a8-c8b4-43ad-b2e5-76f61b87d8c1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionDetectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion Detection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b799471-726e-432c-b577-2f45474d883c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"584fbe21-b31b-49cb-bd65-62ef850a8310\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUnifiedCommunicationsCollaborationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Unified Communications & Collaboration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"78d61c25-823a-4232-8a32-1a7e7018e596\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataProtectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data Protection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"740b611b-8155-4e96-bbcc-bbdba0541143\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"5\",\"name\":\"isVisible Navigation - Copy\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Getting Started](https://docs.microsoft.com/azure/sentinel/prerequisites)\\r\\n---\\r\\n\\r\\nThis workbook enables Security Governance Risk Compliance Professionals, SecOps Analysts, and MSSPs to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. Recommended onboarding steps are included below, note user experience will vary by workload.
\\r\\n
\\r\\n1️⃣ [Confirm Roles & Permissions: Azure Sentinel Contributor for Create & Edit / Azure Sentinel Responder for Viewing Workbook](https://docs.microsoft.com/azure/sentinel/roles#:~:text=Azure%20Sentinel-specific%20roles%201%20Azure%20Sentinel%20Reader%20can,and%20other%20Azure%20Sentinel%20resources.%20More%20items...%20)
\\r\\n2️⃣ [Onboard Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)
\\r\\n3️⃣ [Onboard Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-get-started)
\\r\\n4️⃣ [Add the Azure Security Benchmark and NIST SP 800-53 R5 Assessments to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)
\\r\\n5️⃣ [Continuously Export Security Center Data](https://docs.microsoft.com/azure/security-center/continuous-export)
\\r\\n6️⃣ [Extend Azure Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)
\\r\\n7️⃣ [Deploy Azure Sentinel: Zero Trust (TIC3.0) Solution & Review Monitoring Analytics Rules](https://portal.azure.com/#blade/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/azuresentinel.azure-sentinel-solution-zerotrust)
\\r\\n\\r\\n\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"text - 106\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Recommended Enrichments](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\nThis workbook leverages 50+ Microsoft Security products. While only Azure Sentinel and Azure Security Center are mandatory for this solution, the following offerings provide enrichments
\\r\\n\\r\\n✳️[Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)
\\r\\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\\r\\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
\\r\\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)
\\r\\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n✳️[Azure Defender](https://azure.microsoft.com/services/azure-defender/)
\\r\\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)
\\r\\n✳️[Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)
\\r\\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)
\\r\\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)
\\r\\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)
\\r\\n\\r\\n\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"text - 107\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Microsoft Zero Trust Deployment Center](https://docs.microsoft.com/security/zero-trust)\\r\\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4KvMM?ver=13f6&q=0&m=6&h=600&w=1600&b=%23FFFFFFFF&u=t&l=f&f=jpg&o=t&aim=true \\\"Security Policy Enforcement\\\")\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"Zero Trust Model\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Trusted Internet Connections 3.0](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n| Security Objectives |\\r\\n| : | : | \\r\\n| Manage Traffic | Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny |\\r\\n| Protect Traffic Confidentiality | Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement |\\r\\n| Protect Traffic Integrity | Prevent alteration of data in transit; detect altered data in transit |\\r\\n| Ensure Service Resiliency | Promote resilient application and security services for continuous operation as the technology and threat landscape evolve |\\r\\n| Ensure Effective Response | Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures |\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"Trusted Internet Connections 3.0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ControlFamily\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| summarize count() by Family\\r\\n| sort by count_ desc\\r\\n| project Family\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| summarize count() by Family\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Family\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| summarize count() by RecommendationDisplayName\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Recommendation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| summarize count() by AssessedResourceId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets with Recommendations\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| project AssessedResourceId, Family, Capability, RecommendationDisplayName, RecommendationLink, RecommendationSeverity, RecommendationState, DiscoveredTimeUTC\\r\\n| sort by DiscoveredTimeUTC desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 1\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Universal Security Capabilities](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\n---\\r\\nUniversal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases. Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use case. However, certain use cases may provide unique guidance on specific capabilities where necessary. Agencies have significant discretion regarding how to meet the individual security capability requirements and address their particular needs. Agencies are free to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve multiple purposes, the selection of an appropriate set of solutions is left to each agency.\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"text - 105\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"c93e24ce-ec5c-4a5a-a505-f69f222f1c57\",\"cellValue\":\"Backup and Recovery\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Backup and Reccovery\",\"style\":\"link\"},{\"id\":\"bac9107f-354e-46ac-b4ad-a3e6e0f55cb0\",\"cellValue\":\"Central Log Management with Analysis\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Central Log Management with Analysis\",\"style\":\"link\"},{\"id\":\"4ffc1b21-56f5-450b-8eff-0ad8878d145b\",\"cellValue\":\"Configuration Management\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Configuration Management\",\"style\":\"link\"},{\"id\":\"8d000886-a46f-4445-ab37-3f8d85d1a03c\",\"cellValue\":\"Incident Response Plan and Incident Handling\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Incident Response Plan and Incident Handling\",\"style\":\"link\"},{\"id\":\"5716dd9a-2dc4-49b6-8159-6ecb38cae5b8\",\"cellValue\":\"Inventory\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Inventory\",\"style\":\"link\"},{\"id\":\"fd99b1dd-8ab6-458a-9750-9bea08680143\",\"cellValue\":\"Least Privilege\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Least Privilege\",\"style\":\"link\"},{\"id\":\"e44f9cc8-c90d-4180-bc5b-05ea686c2a48\",\"cellValue\":\"Secure Administration\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Secure Administration\",\"style\":\"link\"},{\"id\":\"3d6bbb2b-5f84-45e1-840b-d5751ae01724\",\"cellValue\":\" Strong Authentication\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Strong Authentication\",\"style\":\"link\"},{\"id\":\"39eeaf42-397f-4f0b-9ecb-6094cb499da5\",\"cellValue\":\"Time Synchronization\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Time Synchronization\",\"style\":\"link\"},{\"id\":\"7a410392-0071-45de-bd44-6c1a302099bf\",\"cellValue\":\"Vulnerability Management\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Vulnerability Management\",\"style\":\"link\"},{\"id\":\"85947fdc-7b1e-4ccf-b381-e14c481d44b2\",\"cellValue\":\"Patch Management\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Patch Management\",\"style\":\"link\"},{\"id\":\"c785c05b-3c23-440c-880e-d137a5129d57\",\"cellValue\":\"Auditing and Accounting\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Auditing and Accounting\",\"style\":\"link\"},{\"id\":\"c05f7400-cd07-4f88-8b83-01e7a423b212\",\"cellValue\":\"Resilience\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Resilience\",\"style\":\"link\"},{\"id\":\"e1e208ec-51b4-4a92-b4c0-3b642dad5710\",\"cellValue\":\"Enterprise Threat Intelligence\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Enterprise Threat Intelligence\",\"style\":\"link\"},{\"id\":\"ea9cabf5-fb7c-4243-82bf-ec8bc27d563e\",\"cellValue\":\"Situational Awareness\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Situational Awareness\",\"style\":\"link\"},{\"id\":\"cca8efec-9930-4851-8245-6624c437608e\",\"cellValue\":\"Dynamic Threat Discovery\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Dynamic Threat Discovery\",\"style\":\"link\"},{\"id\":\"af1e2514-78fd-4553-b883-e7e509081cd4\",\"cellValue\":\"Policy Enforcement Parity\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Policy Enforcement Parity\",\"style\":\"link\"},{\"id\":\"e728fd6f-9b96-46e7-b657-7b94a4333060\",\"cellValue\":\"Effective Use of Shared Services\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Effective Use of Shared Services\",\"style\":\"link\"},{\"id\":\"51a146f0-a041-43d3-8ed8-f2d03ce3a40b\",\"cellValue\":\"Integrated Desktop, Mobile, and Remote Policies\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Integrated Desktop, Mobile, and Remote Policies\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Universal Security Capabilities Navigation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Backup and Recovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nKeeping copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures, or corruption.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is the Azure Backup Service?](https://docs.microsoft.com/azure/backup/backup-overview)
\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n💡 [Configure Recovery Service Vaults](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)
\\r\\n💡 [Leverage Azure Blueprints for Landing Zones](https://docs.microsoft.com/azure/governance/blueprints/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview)
\\r\\n🔄 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults)
\\r\\n🔄 [Blueprints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.IP, PR.DS, RS.MI, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"back\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Backups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"back up\\\" or Description contains \\\"backup\\\" or Description contains \\\"back-up\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| summarize count() by Description, AnalyzeResult, ResourceId\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Backup & Recovery: Baseline Assessments\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AnalyzeResult\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Passed\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Failed\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"cancelled\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Backup and Recovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Central Log Management & Analysis](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCollecting, storing, and analyzing telemetry, where the collection and storage are designed to facilitate data fusion and the security analysis aids in discovery and response to malicious activity.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [What is Azure Lighthouse?](https://docs.microsoft.com/azure/lighthouse/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\t\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Resource Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events Count by Log Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"agent\\\" or RecommendationDisplayName contains \\\"log\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationDisplayName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Logging\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable\\r\\n| extend counttemp =count_ / 60\\r\\n| summarize \\r\\n ['Current EPS Average']=avg(counttemp), ['Minimum EPS']=min(counttemp),\\r\\n ['Maximum EPS']=max(counttemp)\\r\\n by ['Table Name']=Type\\r\\n| order by ['Current EPS Average'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Events Per Second (EPS) Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Current EPS Average\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}},{\"columnMatch\":\"Minimum EPS\",\"formatter\":3,\"formatOptions\":{\"palette\":\"red\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}},{\"columnMatch\":\"Maximum EPS\",\"formatter\":3,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Current EPS Average_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Current EPS Average_1\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Central Log Management with Analysis\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)
\\r\\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)
\\r\\n💡 [Secure Score in Azure Defender](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecureScoreControls\\r\\n| extend Percent=PercentageScore*100\\r\\n| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId\\r\\n| render timechart\",\"size\":0,\"aggregation\":1,\"showAnalytics\":true,\"title\":\"Azure Security Center: Secure Score Controls (Percentage) Over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaselineSummary\\r\\n| summarize count() by Resource, PercentageOfPassedRules, CriticalFailedRules, WarningFailedRules\\r\\n| project Resource, CriticalFailedRules, WarningFailedRules, PercentageOfPassedRules\\r\\n| sort by CriticalFailedRules desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor & Enforce Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CriticalFailedRules\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"WarningFailedRules\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"PercentageOfPassedRules\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Plan and Incident Handling](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDocumenting and implementing a set of instructions, procedures, or technical capabilities to sense and detect, respond to, limit consequences of malicious cyberattacks, and restore the integrity of the network and associated systems.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Quickstart: Tutorial: Investigate incidents with Azure Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases)
\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/notebooks)
\\r\\n💡 [Tutorial: Set Up Automated Threat Responses in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)
\\r\\n💡[Overview of Microsoft 365 Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/overview-ediscovery-20)
\\r\\n💡[Learn About Insider Risk Management in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Portal](https://portal.azure.com/)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Severity in ('*') or 'All' ==  \\\"All\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Sentinel Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProvider == \\\"Microsoft.Logic\\\"\\r\\n| summarize count() by ResourceId\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Sentinel Playbooks Triggered\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Plan and Incident Handling\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and unmanaged endpoints are found and prevented from gaining access.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory)
\\r\\n💡 [Protect Your Network Resources](https://docs.microsoft.com/azure/security-center/security-center-network-recommendations)
\\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)
\\r\\n💡 [What is Windows Virtual Desktop?](https://docs.microsoft.com/azure/virtual-desktop/overview)
\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)
\\r\\n💡 [Azure Arc Overview](https://docs.microsoft.com/azure/azure-arc/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Heartbeat](https://docs.microsoft.com/azure/azure-monitor/reference/tables/heartbeat) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)
🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)
\\r\\n🔄 [Azure Virtual Desktop](https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/overview)
\\r\\n🔄 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade)
\\r\\n🔄 [Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (Azure Resource Graph)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"ResourceFlat\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where type contains \\\"microsoft\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku = trim(' ', tostring(properties.sku.name))\\r\\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\\\"Not set\\\")\\r\\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n| extend sentinel = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project ['Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays\",\"size\":2,\"showAnalytics\":true,\"title\":\"Log Analytics Workspace Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_link_Workspace Name_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_link_Workspace Name_0\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat\\r\\n| distinct ResourceId, ComputerIP, OSType, Category, ResourceGroup, ResourceType \\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (Heartbeat)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OSType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Windows\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Linux\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"mac\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat\\r\\n| where ResourceProvider in (\\\"Microsoft.HybridCompute\\\")\\r\\n| distinct ResourceId, ComputerIP, OSType, Category, ResourceGroup, ResourceType \\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (Hybrid/On Prem Joined Machines: Azure Arc)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OSType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Windows\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Linux\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"mac\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Inventory\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Administrator roles by admin task in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)
\\r\\n💡 [Overview of role-based access control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)
\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
\\r\\n💡 [Azure Active Directory Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n🔷 [AADNonInteractiveUserSignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| summarize Activities = count() by User = Caller\\r\\n| where User <> \\\"\\\"\\r\\n| sort by Activities desc\\r\\n| take 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Active Directory Users by Action Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles_ = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| where MailAddress <> \\\"\\\"\\r\\n| distinct UserPrincipalName, GroupMemberships, AssignedRoles_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assigned Roles & Group Memberships\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADNonInteractiveUserSignInLogs\\r\\n| project AppDisplayName, Identity, TimeGenerated\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AppDisplayName\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"AAD Non Interactive User Sign-In Logs By Application \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AAD Non Interactive User Sign-In Logs By Application \",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Least Privilege\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nPerforming administrative tasks in a secure manner, using secure protocols.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Delegate Administration in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)
\\r\\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)
 \\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 
\\r\\n💡 [Securing Devices as Part of the Privileged Access Story](https://docs.microsoft.com/security/compass/privileged-access-devices) 
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\\r\\n🔄 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where Identity == \\\"MS-PIM\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| extend PIM_Role = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\\r\\n| where UserPrincipalName <>\\\"\\\"\\r\\n| project UserPrincipalName, OperationName, PIM_Role, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Secure Administration\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto)
\\r\\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)
\\r\\n💡 [Remediate recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)
\\r\\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)
\\r\\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)
\\r\\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \\\"Successfull login\\\", \\\"unknown\\\")\\r\\n| summarize count() by ResultText\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication Codes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResultText\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Success\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"error\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"not\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"tried\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"invalid\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"unauth\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"block\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"expired\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"missing\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\" Strong Authentication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Synchronization](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCoordinating clocks on all systems (e.g. servers, workstations, network endpoints) to enable accurate comparison of timestamps between systems.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Time Sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Portal](https://portal.azure.com/)
\\r\\n🔄 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"NTP\\\"\\r\\n| project ResourceId, Description, AnalyzeResult, TimeGenerated\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor NTP Syncs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AnalyzeResult\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Passed\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Failed\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nProactively working to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [Secure Score in Azure Defender](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)
\\r\\n💡 [Azure Defender's Integrated Vulnerability Assessment Solution for Azure and Hybrid Machine](https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment)
\\r\\n💡 [Threat and Vulnerability Management Walk-Through](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, PR.IP, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"vuln\\\" or RecommendationName contains \\\"assess\\\" or RecommendationName contains \\\"update\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerabilty Management Recommendations over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecureScoreControls\\r\\n| extend Percent=PercentageScore*100\\r\\n| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Secure Score\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n|project CceId, RuleSeverity, Description, ResourceId\\r\\n|limit 50\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Vulnerability Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Patch Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentifying, acquiring, installing, and verifying patches for products and systems.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Update Management Overview](https://docs.microsoft.com/azure/automation/update-management/overview)
\\r\\n💡 [Enable Update Management From the Azure Portal](https://docs.microsoft.com/azure/automation/update-management/enable-from-portal)
\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)
\\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json)
\\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)
\\r\\n🔄 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName == \\\"System updates should be installed on your machines\\\" or RecommendationName contains \\\"upgrade\\\" or RecommendationName contains \\\"update\\\" or RecommendationName contains \\\"patch\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationDisplayName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Updates\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Patch Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)
\\r\\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [Auditing Azure Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Resource Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups)
\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events Count by Log Source\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"agent\\\" or RecommendationDisplayName contains \\\"log\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationDisplayName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Logging\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Auditing and Accounting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resilience](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEnsuring that systems, services, and protections maintain acceptable performance under adverse conditions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
\\r\\n🔄 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets)
\\r\\n🔄 [Load Balancing](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n🔄 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)
\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)
\\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)
 \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)
 \\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)
\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
 \\r\\n💡 [What are virtual machine scale sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview)
 \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.BE, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where AlertName contains \\\"dos\\\" or AlertName contains \\\"waf\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts: DDoS & WAF\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resilience\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise Threat Intelligence](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nObtaining threat intelligence from private and government sources and implementing mitigations for the identified risks.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)
\\r\\n💡 [Microsoft Security Intelligence Portal](https://www.microsoft.com/wdsi)
\\r\\n💡 [Microsoft Graph Security tiIndicators API](https://docs.microsoft.com/graph/api/resources/tiindicator)
\\r\\n💡 [MSTIC Jupyter and Python Security Tools](https://github.com/Microsoft/msticpy)
\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Microsoft Defender Security Intelligence Portal](https://microsoft.com/wdsi)
\\r\\n🔄 [Resource Graph Queries](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.resourcegraph%2Fqueries)
\\r\\n🔄 [MSTICpy](https://github.com/Microsoft/msticpy)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cyber Threat Intelligence Indicator Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Threat Intelligence\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Situational Awareness](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMaintaining effective awareness, both current and historical, across all components.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Get Visibility Into Alerts](https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility)
\\r\\n💡 [What is Azure Network Watcher?](https://docs.microsoft.com/graph/api/resources/tiindicator)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts By Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Situational Awareness\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Dynamic Threat Discovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nUsing dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Advanced Multistage Attack Detection in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/fusion)
\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
\\r\\n💡 [Heuristic Detections in Azure Security Center](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignemt\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Sentinel Fusion\\\" or AlertName contains \\\"Anomalous\\\"\\r\\n| summarize count () by AlertName, ProductName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Dynamic Threat Detection Rules\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Dynamic Threat Discovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Policy Enforcement Parity](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nConsistently applying security protections and other policies, independent of the communication mechanism, forwarding path, or endpoints used.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)
\\r\\n💡 [What is Azure Blueprints?](https://docs.microsoft.com/azure/governance/blueprints/)
\\r\\n💡 [Password Policies and Account Restrictions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview)
\\r\\n🔄 [Blueprints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted)
\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| summarize count() by RecommendationName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configured Assessment Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Policy Enforcement Parity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)
\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)
\\r\\n💡 [What are External Identities in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)
\\r\\n🔄 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Azure Lighthouse for Service Provider Access](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n![Image Name](https://docs.microsoft.com/azure/lighthouse/media/azure-lighthouse-overview.jpg)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Use Azure Customer Lockbox for Shared Access to Resources](https://aka.ms/customerlockbox/insiderprogram)\\r\\n![Image Name](https://docs.microsoft.com/azure/security/fundamentals/media/customer-lockbox-overview/customer-lockbox-landing-page.png)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Effective Use of Shared Services\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Integrated Desktop, Mobile, and Remote Policiess](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDefining polices such that they apply to a given agency entity no matter its location.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
\\r\\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)
 \\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/)
\\r\\n🔄 [Microsoft Intune Portal](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Control Connection of Endpoints with Microsoft Intune: Conditional Access](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager)\\r\\n![Image Name](https://docs.microsoft.com/mem/intune/protect/media/conditional-access/ca-diagram-1.png  \\\"Intune Conditional Access\\\") \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Integrated Desktop, Mobile, and Remote Policies\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Files](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nFile-based protections including anti-malware, malicious code removal, content disarm & reconstruction, and detonation chambers.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Files Capabilities Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"c61c3951-546a-40ae-a680-74638b772d80\",\"cellValue\":\"Anti-Malware\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Anti-Malware\",\"style\":\"link\"},{\"id\":\"6a592926-301d-44d9-8915-359e443fbc61\",\"cellValue\":\"Content Disarm & Reconstruction\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Content Disarm & Reconstruction\",\"style\":\"link\"},{\"id\":\"ec6b5ffc-7d3d-4a93-b1cf-e20af0b57f3e\",\"cellValue\":\"Detonation Chamber\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Detonation Chamber\",\"style\":\"link\"},{\"id\":\"33cb9a0b-8e24-410a-afd4-81d9e201e7a3\",\"cellValue\":\"Data Loss Prevention_F\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Files Capabilities Navigation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Malware](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Microsoft Antimalware Extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/iaas-antimalware-windows)
\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)
\\r\\n💡 [Microsoft Cloud App Security: Malware Detection](https://docs.microsoft.com/cloud-app-security/anomaly-detection-policy#malware-detection)
\\r\\n💡 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Azure Defender](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, DE.CM, DE.DP, RS.MI](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"title\":\"Security Alerts: Malware\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detected by Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Malware\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Disarm & Reconstruction](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent disarm and reconstruction technology detects the presence of unapproved active content and facilitates its removal.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Setup Safe Attachments Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies)
\\r\\n💡 [Threat and Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailAttachmentInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailattachmentinfo) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n| extend Detection = strcat(DetectionMethods)\\r\\n| where ThreatTypes <> \\\"\\\"\\r\\n| project RecipientEmailAddress, FileName, ThreatTypes, ThreatNames, Detection, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Attachments: Attachment Mitigations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Disarm & Reconstruction\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Detonation Chamber](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDetonation chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the files.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Submit File for Deep Analysis](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#submit-files-for-deep-analysis)
\\r\\n💡 [Using the Built-in URL Detonation in Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-new-built-in-url-detonation-in-azure-sentinel/ba-p/996229)
\\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)
\\r\\n💡 [Safe Attachments in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-attachments)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals \\r\\n🔄 [Azure Portal](https://portal.azure.com/)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM, DE.DP, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods <>\\\"\\\"\\r\\n| project RecipientEmailAddress, DeliveryAction, DeliveryLocation, EmailDirection, EmailAction, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Detonation: SafeLinks, SafeAttachments, SafeFiles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"left\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DetectionMethods\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Detonation Chamber\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)
\\r\\n💡 [Hunt for Threats with Azure Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"title\":\"Security Alerts: Data Loss Prevention\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_F\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Email](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEmail-based protections including anti-phishing, anti-spam, authenticated received chain, data loss prevention, DMARC for incoming/outgoing mail, email encryption, and malicious URL protections.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Email Capabilities Help\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"75486fb8-e143-457b-881a-b1acaee05453\",\"cellValue\":\"Anti-Phishing Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Anti-Phishing Protections\",\"style\":\"link\"},{\"id\":\"a4879110-271e-496c-ae2f-7e30296af266\",\"cellValue\":\"Anti-SPAM Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Anti-SPAM Protections\",\"style\":\"link\"},{\"id\":\"bbc29b77-2e9a-4438-970f-e0abfdc8a3cc\",\"cellValue\":\"Authenticated Received Chain\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Authenticated Received Chain\",\"style\":\"link\"},{\"id\":\"43972d55-2e0c-4660-ac09-91459af1713e\",\"cellValue\":\"Data Loss Prevention_E\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention\",\"style\":\"link\"},{\"id\":\"d7f5b5ba-5ccc-4043-b403-f046b15a853e\",\"cellValue\":\"DMARC for Incoming Email\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DMARC for Incoming Email\",\"style\":\"link\"},{\"id\":\"42784042-f170-4520-bf7f-8f765ca54584\",\"cellValue\":\"DMARC for Outgoing Email\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DMARC for Outgoing Email\",\"style\":\"link\"},{\"id\":\"50c50837-7378-419f-b5ab-60a4f50a8e3c\",\"cellValue\":\"Encryption for Email Transmission\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Encryption for Email Transmission\",\"style\":\"link\"},{\"id\":\"8ea80e97-f1f8-4f1f-9be1-85f5b2974254\",\"cellValue\":\"Malicious URL Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Malicious URL Protections\",\"style\":\"link\"},{\"id\":\"1247fbc5-40c8-4326-8e9d-dc7dc6387e65\",\"cellValue\":\"URL Click-Through Protection\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ URL Click-Through Protection\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Email Capabilities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Phishing Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-phishing protections detect instances of phishing and prevent users from accessing them.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Anti-Phishing Protection in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-protection)
\\r\\n💡 [Configure Anti-Phishing Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent)✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AT, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProductName contains \\\"Office 365 Advanced Threat Protection\\\"\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"title\":\"Security Alerts: Phishing\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Phishing Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-SPAM protections detect and quarantine instances of SPAM.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)
\\r\\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam <> \\\"Skipped\\\"\\r\\n| where Spam <> \\\"Not spam\\\"\\r\\n| project Spam, RecipientEmailAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Email Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-SPAM Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Received Chain](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How Microsoft 365 Utilizes Authenticated Received Chain (ARC)](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-utilizes-authenticated-received-chain-arc)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Alerts for DMARC, SPF, DKIM Validations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Received Chain\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)
\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)
\\r\\n💡 [How DLP Works Between the Security & Compliance Center and Exchange Admin Centers](https://docs.microsoft.com/microsoft-365/compliance/how-dlp-works-between-admin-centers)
\\r\\n💡 [Email Entity Page](https://docs.microsoft.com/microsoft-365/security/office-365-security/mdo-email-entity-page)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| where ApplicationName_s == \\\"Outlook Web\\\" or ApplicationName_s contains \\\"exchange\\\"\\r\\n| project UserId_s, ApplicationName_s, LabelName_s, Activity_s, Operation_s, TimeGenerated\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Data Loss Prevention\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Azure Information Protection: Email Classifications & Labeling](https://azure.microsoft.com/services/information-protection/)\\r\\n![Image Name](https://docs.microsoft.com/azure/information-protection/media/recipients-only-label2.png)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_E\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Incoming Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)
\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"inbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Incoming Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Outgoing Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC7489.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)
\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"outbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Outgoing Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Encryption for Email Transmission](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmail services are configured to use encrypted connections, when possible, for communications between clients and other email servers.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Email Encryption](https://docs.microsoft.com/microsoft-365/compliance/ome)
\\r\\n💡 [How Exchange Online Uses TLS to Secure Email Connections](https://docs.microsoft.com/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections)
\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)
\\r\\n💡 [Setup New Message Encryption Capabilities](https://docs.microsoft.com/microsoft-365/compliance/set-up-new-message-encryption-capabilities)
\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)
\\r\\n💡 [Manage Office 365 Message Encryption](https://docs.microsoft.com/microsoft-365/compliance/manage-office-365-message-encryption)
\\r\\n\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
🔄[Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"encrypt\\\"\\r\\n| summarize count() by RecommendationDisplayName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Workload Encryption Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Encryption for Email Transmission\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious URL Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious URL protections detect malicious URLs in emails and prevent users from accessing them.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods contains \\\"url\\\"\\r\\n| join (EmailUrlInfo) on NetworkMessageId\\r\\n| project RecipientEmailAddress, DeliveryAction, Url, UrlDomain, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SafeLinks Email Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious URL Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [URL Click-Through Protection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nURL click-through protections ensure that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where DisplayName contains \\\"URL\\\"\\r\\n| summarize count() by AlertName, ProductName\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email URL Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"URL Click-Through Protection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Web](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nWeb-based protections including break/inspect, active content mitigation, certificate blacklisting/consensus, content filtering, authenticated proxy, data loss prevention, DNS-over-HTTPS filtering, RFC compliance enforcement, domain category filtering, domain reputation filtering, bandwidth control, malicious content filtering, and access control.\"},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Web Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"02e1e8dc-ada0-4398-a18e-ee6a27a4398c\",\"cellValue\":\"Break and Inspect\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Break and Inspect\",\"style\":\"link\"},{\"id\":\"73c46479-2507-480d-81c2-59b8eb2dde4c\",\"cellValue\":\"Active Content Mitigation\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Active Content Mitigation\",\"style\":\"link\"},{\"id\":\"899e3919-5a81-48ad-9fe1-2b30ea75e063\",\"cellValue\":\"Certificate Denylisting\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Certificate Denylisting\",\"style\":\"link\"},{\"id\":\"134c9530-0a39-49e3-af06-57a55a4405a2\",\"cellValue\":\"Content Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Content Filtering\",\"style\":\"link\"},{\"id\":\"654216c3-dd72-4350-936e-fbddc7403bfe\",\"cellValue\":\"Authenticated Proxy\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Authenticated Proxy\",\"style\":\"link\"},{\"id\":\"53b5caf3-9696-403b-9aba-501f81f28a78\",\"cellValue\":\"Data Loss Prevention_W\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention\",\"style\":\"link\"},{\"id\":\"1399dbe0-3ec8-4aca-a6f2-159076019a67\",\"cellValue\":\"DNS-over-HTTPS Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNS-over-HTTPS Filtering\",\"style\":\"link\"},{\"id\":\"4c24ab6e-8548-40ad-8e13-6f57a9216e8f\",\"cellValue\":\"RFC Compliance Enforcement\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ RFC Compliance Enforcement\",\"style\":\"link\"},{\"id\":\"3330274e-62a3-4080-818e-e69976148766\",\"cellValue\":\"Domain Category Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Domain Category Filtering\",\"style\":\"link\"},{\"id\":\"281a70fe-cc00-4620-acad-fa927c48575b\",\"cellValue\":\"Domain Reputation Filter\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Domain Reputation Filter\",\"style\":\"link\"},{\"id\":\"8089a515-f341-40d7-9826-4d88a34f5f93\",\"cellValue\":\"Bandwidth Control\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Bandwidth Control\",\"style\":\"link\"},{\"id\":\"a3175efa-dcda-4782-b216-e9bbdc6a8903\",\"cellValue\":\"Malicious Content Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Malicious Content Filtering\",\"style\":\"link\"},{\"id\":\"421a85e7-424d-4bbb-8c60-cda8e43ba959\",\"cellValue\":\"Access Control_W\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Access Control\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Web Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Break and Inspect](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBreak-and-Inspect systems, or encryption proxies, terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)
\\r\\n💡 [Inspect Traffic with Azure Firewall](https://docs.microsoft.com/azure/private-link/inspect-traffic-with-azure-firewall)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/azurefirewalls\\\"\\r\\n| extend ResourceGroup = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend ipConfigurations = properties.ipConfigurations\\r\\n| extend FirewallSKU = tostring(properties.sku.tier)\\r\\n| extend ThreatIntelMode = tostring(properties.threatIntelMode)\\r\\n| extend DNSConfig = properties.additionalProperties\\r\\n| mv-expand bagexpansion=array ipConfigurations\\r\\n| extend PIPid = tostring(ipConfigurations.properties.publicIPAddress.id)\\r\\n| join ( Resources | where type=='microsoft.network/publicipaddresses' | extend PublicIPAddress=tostring(properties.ipAddress) | project PIPid=id,PublicIPAddress ) on PIPid\\r\\n| extend PrivateIP = tostring(ipConfigurations.properties.privateIPAddress)\\r\\n| extend PrivateIPAllocation = tostring(ipConfigurations.properties.privateIPAllocationMethod)\\r\\n| extend SubnetId = ipConfigurations.properties.subnet.id\\r\\n| project-away kind, managedBy, plan, sku, properties, identity, zones, extendedLocation, ipConfigurations, PIPid, PIPid1, tags, tenantId, name, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewalls\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":14,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SubnetId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"ResourceGroup\",\"label\":\"Resource Group\"},{\"columnId\":\"FirewallSKU\",\"label\":\"Firewall SKU\"},{\"columnId\":\"ThreatIntelMode\",\"label\":\"Threat Intel Mode\"},{\"columnId\":\"DNSConfig\",\"label\":\"DNS Config\"},{\"columnId\":\"PublicIPAddress\",\"label\":\"Public IP Address\"},{\"columnId\":\"PrivateIP\",\"label\":\"Private IP\"},{\"columnId\":\"PrivateIPAllocation\",\"label\":\"Private IP Allocation\"},{\"columnId\":\"SubnetId\",\"label\":\"Subnet\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AzureFirewalls\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Break and Inspect\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Active Content Mitigation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nActive content mitigation protections detect the presence of unapproved active content and facilitate its removal.\\r\\n\\r\\n### Microsoft References \\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
\\r\\n💡[Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message: string, ruleName_s: string, clientIp_s: string, clientIP_s: string, action_s: string, transactionId_s: string, trackingReference_s: string) [\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\"]);\\r\\nFakeData\\r\\n| union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"Application Gateway\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"Application Gateway\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"Application Gateway\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"Application Gateway\\\" contains \\\"cdn\\\")) and (\\\"SOC-NS-AG-WAFV2 - 1129440\\\" == \\\"All\\\" or Resource in ('SOC-NS-AG-WAFV2'))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '*' == Action or '*' == \\\"*\\\" \\r\\n| where '*' == requestUri_s or '*' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\", 1), \\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule, \\\"):\\\", 1)), \\\"\\\"), Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure WAF Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redDark\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Active Content Mitigation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate denylisting protections prevent communication with entities that use a set of known bad certificates.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Certificates Used by Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-certificates)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡 [Quickstart: Create a Key Vault using the Azure Portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\" or type contains \\\"firewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Leverage Azure Firewall & Key Vault Assets for Certificate Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent filtering protections detect the presence of unapproved content and facilitate its removal or denial of access.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Azure Firewall Web Categories](https://docs.microsoft.com/azure/firewall/web-categories)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-content-filtering)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n materialize(\\r\\n AzureDiagnostics\\r\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n | where msg_s has \\\" Reason:\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n and msg_s !has \\\"No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | where msg_s has \\\"Rule Collection Group\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n )\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Firewall: Content Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Plan an Azure AD Application Proxy Deployment](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan)
\\r\\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Cloud App Security and Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)
\\r\\n💡 [Protect Apps with Microsoft Cloud App Security Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MCAS\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":1,\"showAnalytics\":true,\"title\":\"Microsoft Cloud App Security: Cloud App Security Brokering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Proxy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Microsoft Cloud App Security: File Policies](https://docs.microsoft.com/cloud-app-security/data-protection-policies)
\\r\\n💡 [Content Inspection for Protected Files](https://docs.microsoft.com/cloud-app-security/content-inspection)
\\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Azure Defender](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| summarize count() by AlertName, ProductName, Tactics\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":1,\"showAnalytics\":true,\"title\":\"Web Data Loss Prevention Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS-over-HTTPS Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| where AlertName contains \\\"URL\\\" or AlertName contains \\\"web\\\" or AlertName contains \\\"indicator\\\" or Description contains \\\"URL\\\" or AlertType contains \\\"NetworkProtectionBlocked\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":1,\"showAnalytics\":true,\"title\":\"Mitigate DNS-over-HTTPS with Agent-Based Web Filters such as Microft Defender for Endpoint: Web Content Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS-over-HTTPS Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [RFC Compliance Enforcement](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRFC compliant enforcement technologies ensure that traffic complies with protocol definitions.\\r\\n\\r\\n### Microsoft References\\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\r\\n| where details_file_s contains \\\"rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"\\r\\n| summarize count() by ResourceId, Message\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protocol Enforcement Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RFC Compliance Enforcement\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Category Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain category filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall: Web Categories](https://docs.microsoft.com/azure/firewall/premium-deploy#web-categories-testing)
\\r\\n💡 [Use FQDN Filtering in Network Rules](https://docs.microsoft.com/azure/firewall/fqdn-filtering-network-rules)
\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)\\t
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n materialize(\\r\\n AzureDiagnostics\\r\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n | where msg_s has \\\" Reason:\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n and msg_s !has \\\"No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | where msg_s has \\\"Rule Collection Group\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n )\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '*' == SourceIP or '*' == \\\"*\\\" \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Domain & Category Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Category Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Reputation Filter](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain reputation filtering protections are a form of domain denylisting based on a domain’s reputation, as defined by either the agency or an external entity.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall Threat Intelligence-Based Filtering](https://docs.microsoft.com/azure/firewall/threat-intel)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where msg_s <> \\\" request from to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by ThreatIntelMsg, Url, Action, Protocol, SourceIP, SourcePort, FQDN, DestinationPort, TimeGenerated\\r\\n| where Url <> \\\"\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Threat Intelligence URL Blocks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Reputation Filter\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Bandwidth Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBandwidth control technologies allow for limiting the amount of bandwidth used by different classes of domains.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Monitor Metrics Overview](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics)
\\r\\n💡 [Monitor Azure Firewall Logs and Metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics) \\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Metrics](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"maxWidth\":\"40\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 1\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":7776000000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"metric - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious content filtering protections detect the presence of malicious content and facilitate its removal.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
\\r\\n💡 [Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)
\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, PR.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by OperationName\\r\\n | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | summarize Volume=count() by OperationName\\r\\n | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protections by Rule Category\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Volume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Overview of Role-Based Access Control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)
\\r\\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)
\\r\\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"just\\\" or RecommendationName contains \\\"JIT\\\"\\r\\n| summarize count() by AssessedResourceId, RecommendationName, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Just in Time Access Recommenations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where Identity == \\\"MS-PIM\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| extend PIM_Role = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\\r\\n| where UserPrincipalName <>\\\"\\\"\\r\\n| project UserPrincipalName, OperationName, PIM_Role, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Networking](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nNetwork-based protections including network access controls, IP denylisting, host containment, network segmentation, and microsegmentation. \\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Networking Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"24c6c093-03b1-48d3-8446-b62c7768ab91\",\"cellValue\":\"Access Control_N\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Access Control\",\"style\":\"link\"},{\"id\":\"49076f2b-dc1e-4fc8-8a35-415b2bd20baa\",\"cellValue\":\"IP Denylisting\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ IP Denylisting\",\"style\":\"link\"},{\"id\":\"36a87896-a2b9-4050-82d5-36891c43b497\",\"cellValue\":\"Host Containment\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Host Containment\",\"style\":\"link\"},{\"id\":\"baf36c82-aa55-42e8-88df-60bf3051c347\",\"cellValue\":\"Network Segmentation\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Network Segmentation\",\"style\":\"link\"},{\"id\":\"2fcbeaa9-e652-4d47-a07b-0c3b9bc6b266\",\"cellValue\":\"Microsegmentation\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Microsegmentation\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Networking Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control protections prevent the ingest, egress, or transiting of unauthorized network traffic.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security Recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n💡 [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)
\\r\\n💡[Tutorial: Create and Manage a VPN Gateway using Azure Portal]( https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)
\\r\\n💡[What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
🔄 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
🔄 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
🔄 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| summarize count() by ruleName_s\\r\\n| sort by count_ desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Security Groups: Rules Triggered\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category contains \\\"AzureFirewall\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Conrol Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control_N\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IP Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIP denylisting protections prevent the ingest or transiting of traffic received from or destined to a denylisted IP address.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)
\\r\\n💡 [Azure Firewall Threat Intelligence Configuration](https://docs.microsoft.com/azure/firewall-Manager/threat-intelligence-settings)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n\\t iff(isnotempty(Url), \\\"URL\\\",\\r\\n\\t iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n\\t iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n\\t iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n\\t \\\"Other\\\")))))\\r\\n| where IndicatorType == \\\"IP\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by IndicatorType\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Sentinel: Threat Intelligence IP Indicators Ingested\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VMConnection\\r\\n| extend NetworkSourceIP=RemoteIp\\r\\n| where NetworkSourceIP <> \\\"\\\"\\r\\n| join (ThreatIntelligenceIndicator) on NetworkSourceIP\\r\\n| extend Indicator = strcat(NetworkSourceIP, FileHashValue, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\\r\\n| extend Source=SourceSystem1\\r\\n| summarize count () by ThreatType, Action, Indicator, Direction, _ResourceId, RemoteCountry, RemoteIp, Source\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence: IP Denylisting\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RiskIQ_Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"RiskIQ Lookup >\"}},{\"columnMatch\":\"RemoteCountry\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"VirusTotalURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"VirusTotal Lookup >\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"RemoteCountry\",\"latitude\":\"RemoteLatitude\",\"longitude\":\"RemoteLongitude\",\"sizeSettings\":\"RemoteCountry\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"RemoteCountry\",\"legendMetric\":\"RemoteCountry\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"RemoteIp\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Threat Intelligence: IP Denylisting\"}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IP Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Host Containment](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nHost containment protections enable a network to revoke or quarantine a host’s access to the network.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/automation-in-azure-sentinel)
\\r\\n💡 [How to Isolate an Azure VM Using Azure Security Center’s Workflow Automation](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-isolate-an-azure-vm-using-azure-security-center-s/ba-p/1250985)
\\r\\n💡 [Isolate Endpoints from the Network](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-endpoints-from-the-network)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n\\r\\n### Microsoft Portals \\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| where id contains \\\"block\\\" or id contains \\\"isolate\\\" or id contains \\\"lock\\\" or id contains \\\"revoke\\\" or id contains \\\"quarantine\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Containment Automations Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Host Containment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Segmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nNetwork segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Implement Network Segmentation Patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)
\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Segmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsegmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMicrosegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Network Security & Containment](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)
\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡 [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)
\\r\\n💡 [Tutorial: Filter Network Traffic with a Network Security Group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)
\\r\\n💡 [What is Azure Web Application Firewall?](https://docs.microsoft.com/azure/web-application-firewall/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)
\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) \\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\\r\\n🔄 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\\r\\n🔄 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"networksecuritygroup\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Security Groups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Microsegmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Resiliency](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nResiliency measures including DDoS protections, elastic expansion, and regional delivery.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Resiliency Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"e728810c-697f-4b67-a00e-1941c3b84194\",\"cellValue\":\"DDoS Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DDoS Protections\",\"style\":\"link\"},{\"id\":\"38a64817-5a62-418f-8944-041ab50fee2c\",\"cellValue\":\"Elastic Expansion\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Elastic Expansion\",\"style\":\"link\"},{\"id\":\"b984f173-f46a-412d-a835-d4a2f66709b8\",\"cellValue\":\"Regional Delivery\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Regional Delivery\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Resiliency Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DDoS Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDDoS protections mitigate the effects of distributed denial of service attacks.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/ddosprotectionplans\\\"\\r\\n| extend RG = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend virtualNetworks = properties.virtualNetworks\\r\\n| mvexpand bagexpansion=array virtualNetworks\\r\\n| extend VNETid = virtualNetworks.id\\r\\n| project-away kind, managedBy, sku, plan, identity, zones, extendedLocation, name, tenantId, properties, tags, virtualNetworks, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"VNETid\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"VNETid\",\"label\":\"Virtual Networks\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoSPlans\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoS Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Elastic Expansion](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nElastic expansion enables agencies to dynamically expand the resources available for services as conditions require.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What are Virtual Machine Scale Sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview) 
\\r\\n💡 [Elastic Pools Help You Manage and Scale Multiple Databases in Azure SQL Database](https://www.cisa.gov/trusted-internet-connections)
\\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)
\\r\\n💡 [What is Traffic Manager?](https://docs.microsoft.com/azure/traffic-Manager/traffic-Manager-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/)✳️ [Azure Availability Zones]( https://azure.microsoft.com/global-infrastructure/availability-zones/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)
🔄 [Azure SQL](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fazuresql)
🔄 [Load Balancer](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
🔄 [Traffic Manager Profiles](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Ftrafficmanagerprofiles)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scale\\\" or type contains \\\"traffic\\\" or type contains \\\"load\\\" or type contains \\\"balance\\\" or type contains \\\"pool\\\" or type contains \\\"set\\\" or type contains \\\"manager\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Elasticly Scaling Assets (Scale Sets, Pooling, Load Balancing, Traffic Managers)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Elastic Expansion\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)
 \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) 
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Regional Delivery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [DNS](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nDNS measures including DNS blackholing, DNSSEC for clients, and DNSSEC for domains. \\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"DNS Capability Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9641ace6-28a6-492a-a264-cf997a0b2929\",\"cellValue\":\"DNS Sinkholing\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNS Sinkholing\",\"style\":\"link\"},{\"id\":\"58350f74-c87b-4110-aa84-2d34f0b7b76d\",\"cellValue\":\"DNSSEC for Agency Clients\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNSSEC for Agency Clients\",\"style\":\"link\"},{\"id\":\"69514c8d-8a19-48db-a53d-02c1e12cf332\",\"cellValue\":\"DNSSEC for Agency Domains\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNSSEC for Agency Domains\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"DNS Capability Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS Sinkholing](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS sinkholing protections are a form of denylisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)
\\r\\n💡 [Administer DNS and Create Conditional Forwarders in an Azure Active Directory Domain Services Managed Domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-dns)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
🔄 [Windows Admin Center](https://www.microsoft.com/evalcenter/evaluate-windows-admin-center)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"domain\\\" or type contains \\\"dns\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Sinkholing\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Clients](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy](https://techcommunity.microsoft.com/t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331)
\\r\\n💡 [DANE Support](https://docs.microsoft.com/windows-server/networking/dns/what-s-new-in-dns-server#dane-support)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n🔄 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\\r\\n🔄 [Windows Admin Center](https://www.microsoft.com/evalcenter/evaluate-windows-admin-center)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Request_Type\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: DNS Proxy Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Clients\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Domains](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)
\\r\\n💡 [Security Recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n🔄 [Windows Admin Center](https://www.microsoft.com/evalcenter/evaluate-windows-admin-center)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where RecommendationName contains \\\"dns\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Domains\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Intrusion Detection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nIntrusion Detection measures including endpoint detection & response, intrusion protection systems, adaptive access control, deception platforms, and certificate transparency log monitoring.\"},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Intrusion Detection Capability Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"732ea879-9952-465c-b6a5-f85cef33927f\",\"cellValue\":\"Endpoint Detection and Response\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Endpoint Detection and Response\",\"style\":\"link\"},{\"id\":\"d09eb27c-cab6-4ae8-978f-5bcc50a361f5\",\"cellValue\":\"Intrusion Protection Systems (IPS)\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Intrusion Protection Systems (IPS)\",\"style\":\"link\"},{\"id\":\"e22ab1a8-ded0-43e0-b8df-68d75ca8d073\",\"cellValue\":\"Adaptive Access Control\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Adaptive Access Control\",\"style\":\"link\"},{\"id\":\"5a55295b-0d64-4e5f-a84e-25a7bad66f5f\",\"cellValue\":\"Deception Platforms\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Deception Platforms\",\"style\":\"link\"},{\"id\":\"2674ad60-398d-42aa-a24d-7cbe20aa79a7\",\"cellValue\":\"Certificate Transparency Log Monitoring\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Certificate Transparency Log Monitoring\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Intrusion Detection Capability Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection and Response](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEndpoint detection and response tools combine endpoint and network event data to aid in the detection of malicious activity.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Overview of Endpoint Detection and Response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Endpoint Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Endpoint Detection and Response\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Protection Systems (IPS)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIntrusion protection systems detect malicious activity, attempt to stop the activity, and report the activity.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall Premium: IDPS](https://docs.microsoft.com/azure/firewall/premium-features#idps)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### Trusted Internet Connections\\r\\n💡 [TIC 3.0 Model](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with * \\\"TCP request from \\\" Source \\\" to \\\" Destination \\\". Action: \\\" ActionTaken \\\". Rule: \\\" IDPSSig \\\". IDS: \\\" IDSMessage \\\". Priority: \\\" Priority \\\". Classification: \\\" Classification\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: IDPS Alerts over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Protection Systems (IPS)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = SigninLogs\\r\\n | where AppDisplayName in ('*') or '*' in ('*')\\r\\n | where UserDisplayName in ('*') or '*' in ('*')\\r\\n | extend CAStatus = case(ConditionalAccessStatus == \\\"success\\\", \\\"Successful\\\",\\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n | mvexpand ConditionalAccessPolicies\\r\\n | extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n | extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"endpoint\\\", \\\"Require endpoint Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined endpoint\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range(ago(14d), now(), 6h) by CAStatus\\r\\n )\\r\\n on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Status\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Adaptive Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Deception Platforms](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeception platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Manage Sensitive or Honeytoken Accounts](https://docs.microsoft.com/defender-for-identity/manage-sensitive-honeytoken-accounts)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) \\r\\n\\r\\n### Microsoft Portal\\r\\n🔄 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Advanced Threat Protection\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Identity Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Deception Platforms\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Transparency Log Monitoring](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate transparency log monitoring allows agencies to discover when new certificates are issued for agency domains.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Get Started with Key Vault Certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)
\\r\\n💡 [Security Recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"cert\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Certificate Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Transparency Log Monitoring\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Enterprise](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEnterprise-based controls including security orchestration automation & response, shadow IT detection, and virtual private networks. \"},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Enterprise Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d492afb3-4b6e-482e-8d63-6f8e42b9c8b5\",\"cellValue\":\"Security Orchestration, Automation, and Response (SOAR)\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Security Orchestration, Automation, and Response (SOAR)\",\"style\":\"link\"},{\"id\":\"d600f262-56b1-46d3-990f-1237edaa8eb5\",\"cellValue\":\"Shadow IT Detection\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Shadow IT Detection\",\"style\":\"link\"},{\"id\":\"008f3aaa-4b7d-4b10-a000-3b249bffa4f4\",\"cellValue\":\"Virtual Private Network (VPN)\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Virtual Private Network (VPN)\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Enterprise Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Orchestration, Automation, and Response (SOAR)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nSecurity Orchestration, Automation, and Response (SOAR) tools define, prioritize, and automate the response to security incidents.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Tutorial: Setup Automated Threat Responses in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend Connection = parse_json(properties)[\\\"parameters\\\"][\\\"$connections\\\"][\\\"value\\\"]\\r\\n| where Connection has \\\"managedApis/azuresentinel\\\"\\r\\n| project id, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"Automation Playbooks Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Orchestration, Automation, and Response (SOAR)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Shadow IT Detection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nShadow IT detection systems detect the presence of unauthorized software and systems in use by an agency.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Tutorial: Discover and Manage Shadow IT in Your Network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it)
\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n💡 [Endpoint Discovery - Navigating Your Way Through Unmanaged Devices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909)
\\r\\n💡 [Device Discovery Overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery)
\\r\\n💡 [Welcome to Azure Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Azure Defender for IoT](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP, PR.MA, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertType contains \\\"discovery\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Shadow IT Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Shadow IT Detection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Virtual Private Network (VPN)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVirtual private network (VPN) solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is VPN Gateway?](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.MA, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"gate\\\" or type contains \\\"bastion\\\" or type contains \\\"route\\\" or type contains \\\"privateend\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"VPN Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Virtual Private Network (VPN)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Unified Communications & Collaboration](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nUCC measures including identity verification, encrypted communications, connection terminations, and data loss prevention. \\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Unified Communications & Collaboration Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"fdf75962-e198-458c-a72e-e09df349b23a\",\"cellValue\":\"UCC Identity Verification\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Identity Verification\",\"style\":\"link\"},{\"id\":\"d0d78efd-c1d1-4444-9dd9-dc8e7654895c\",\"cellValue\":\"UCC Encrypted Communication\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Encrypted Communication\\t\",\"style\":\"link\"},{\"id\":\"bd2d8df1-8c53-48ea-97a6-11d0e04c1201\",\"cellValue\":\"UCC Connection Termination\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Connection Termination\",\"style\":\"link\"},{\"id\":\"792ebae5-b8f3-4842-b97d-d57514d1a22c\",\"cellValue\":\"UCC Data Loss Prevention\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Data Loss Prevention\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Unified Communications & Collaboration Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)
\\r\\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)
\\r\\n💡 [Azure Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)
\\r\\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| where Operation == \\\"MemberAdded\\\"\\r\\n| extend DisplayName_ = tostring(Members[0].DisplayName)\\r\\n| summarize count() by DisplayName_\\r\\n| sort by count_ desc \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams: Members Added\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DisplayName_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| summarize count() by Operation\\r\\n| render piechart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Meetings: Operation Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Identity Verification\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Encrypted Communication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCommunication between virtual meeting participants and any data exchanged is encrypted at rest and in transit. Some UCC offerings support end-to-end encryption, where encryption is performed on the clients and can only be decrypted by the other authenticated participants and cannot be decrypted by the UCC vendor.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)
\\r\\n💡 [Azure Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)
\\r\\n💡 [Trustworthy by Default](https://docs.microsoft.com/microsoftteams/teams-security-guide#trustworthy-by-default)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| extend TeamsMembers = strcat(Members)\\r\\n| distinct Operation, UserId, TeamsMembers, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Encrypted Communication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Connection Termination](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms that ensure the meeting host can positively control participation. These can include inactivity timeouts, on-demand prompts, unique access codes for each meeting, host participant eviction, and even meeting duration limits.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Manage Meeting Policies in Teams](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams)
\\r\\n💡 [Manage Microsoft Teams Rooms](https://docs.microsoft.com/microsoftteams/rooms/rooms-manage)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.AT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Microsoft Teams for UCC Connection Termination Controls via Meeting Policies](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams?WT.mc_id=Portal-fx)\\r\\n![Image Name](https://docs.microsoft.com/microsoftteams/media/designated-presenter-role.png) \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Connection Termination\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms for controlling the sharing of information between UCC participants, intentional or incidental. This may be integrated into additional agency data loss prevention technologies and can include keyword matching, attachment file type or existence prohibitions, attachment size limitations, or even audio/visual filters.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Data Loss Prevention and Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/dlp-microsoft-teams)
\\r\\n💡[Communication Compliance in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by ApplicationName_s, LabelName_s\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DLP Logs by Application/Label\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Data Protection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nData protection measures including access control, protections for data at rest, protections for data in transit, data loss prevention, and data access & use telemetry. \"},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Data Protection Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9c4b9c9f-7222-4a89-8f5e-bf41698143fb\",\"cellValue\":\"Access Control_DP\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Access Control\",\"style\":\"link\"},{\"id\":\"51c9b125-5b22-48b0-ae6d-2504c7efb4cd\",\"cellValue\":\"Protections for Data at Rest\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Protections for Data at Rest\",\"style\":\"link\"},{\"id\":\"1327dfc1-236b-4f1a-b92c-7b4a6999d964\",\"cellValue\":\"Protections for Data in Transit\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Protections for Data in Transit\",\"style\":\"link\"},{\"id\":\"b0db0ea1-f337-4c8c-9d17-3cb221dc4378\",\"cellValue\":\"Data Loss Prevention_DP\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention \",\"style\":\"link\"},{\"id\":\"6f3d353f-c9dc-4197-836b-98243db6c707\",\"cellValue\":\"Data Access and Use Telemetry\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Access and Use Telemetry\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Data Protection Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| summarize count() by Caller, OperationName\\r\\n| where Caller <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"showPin\":false,\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control_DP\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data at Rest](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection at rest aims to secure data stored on any endpoint or storage medium.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Data Encryption at Rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)
\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n|where RecommendationName contains \\\"encrypt\\\" \\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data at Rest Recommenations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data at Rest\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data in Transit](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection in transit, or data in motion, aims to secure data that is actively moving from one location to another, such as across the internet or through a private enterprise network.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Data Encryption in Transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [Encryption for Data in Transit](https://docs.microsoft.com/compliance/assurance/assurance-encryption-in-transit)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n|where RecommendationName contains \\\"HTTP\\\" or RecommendationName contains \\\"FTP\\\" or RecommendationName contains \\\"traffic\\\" or RecommendationName contains \\\"SSL\\\" or RecommendationName contains \\\"TLS\\\" or RecommendationName contains \\\"Secure Socket\\\" or RecommendationName contains \\\"server-side\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data in Transit Recommenations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data in Transit\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)
\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)
\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)
\\r\\n💡 [What is Azure Purview?](https://docs.microsoft.com/azure/purview/overview)
\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Purview Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Purview%2FAccounts)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\t\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Activity_s, Operation_s, LabelName_s, ApplicationName_s\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"DLP Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_DP\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)
\\r\\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)
\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)
\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)
\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Platform_s_s, Activity_s_s, IPv4_s_s\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Access and Use Telemetry\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Access and Use Telemetry\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-ZeroTrust(TIC3.0)\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'DNS'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Data Protection'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Email'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Enterprise'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Files'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic6-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Intrusion Detection'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic7-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Networking'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic8-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Resiliency'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic9-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Unified Communications & Collaboration'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic10-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Universal Security Capabilities'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic11-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Web'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.5", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "ZeroTrust(TIC3.0)", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Nikhil Tripathi", + "email": "v-ntripathi@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_ZeroTrustTIC3.0_workbook')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + } + ] + }, + "firstPublishDate": "2021-10-20", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Identity", + "Security - Others" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json b/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json new file mode 100644 index 000000000000..1e5d3a23f2a4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/playbooks/template.json b/src/SecurityInsights/test/deployment-templates/playbooks/template.json new file mode 100644 index 000000000000..076966bb2a3f --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/playbooks/template.json @@ -0,0 +1,900 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Playbook1Name": { + "defaultValue": "Block-AADUser-Alert", + "type": "string" + }, + "Playbook2Name": { + "defaultValue": "Block-AADUser-Incident", + "type": "string" + }, + "Playbook3Name": { + "defaultValue": "Confirm-AADRiskyUser-Alert", + "type": "string" + }, + "Playbook4Name": { + "defaultValue": "Confirm-AADRiskyUser-Incident", + "type": "string" + } + }, + "variables": { + "AzureAD1ConnectionName": "[concat('azuread-', parameters('Playbook1Name'))]", + "AzureSentinel1ConnectionName": "[concat('azuresentinel-', parameters('Playbook1Name'))]", + "AzureAD2ConnectionName": "[concat('azuread-', parameters('Playbook2Name'))]", + "AzureSentinel2ConnectionName": "[concat('azuresentinel-', parameters('Playbook2Name'))]", + "AzureAD3ConnectionName": "[concat('azuread-', parameters('Playbook3Name'))]", + "AzureADIP3ConnectionName": "[concat('azureadip-', parameters('Playbook3Name'))]", + "AzureSentinel3ConnectionName": "[concat('azuresentinel-', parameters('Playbook3Name'))]", + "AzureAD4ConnectionName": "[concat('azuread-', parameters('Playbook4Name'))]", + "AzureADIP4ConnectionName": "[concat('azureadip-', parameters('Playbook4Name'))]", + "AzureSentinel4ConnectionName": "[concat('azuresentinel-', parameters('Playbook4Name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD1ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureAD1ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel1ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinel1ConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook1Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser_alert", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD1ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel1ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User was disabled in AAD via playbook

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{body('Update_user')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user')", + null + ] + } + ] + }, + "runAfter": { + "Update_user": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Update_user": { + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD1ConnectionName'))]", + "connectionName": "[variables('AzureAD1ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel1ConnectionName'))]", + "connectionName": "[variables('AzureSentinel1ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD2ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureAD2ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel2ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinel2ConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook2Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD2ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel2ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{items('For_each')?['Name']} was disabled in AAD via playbook Block-AADUser.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user')", + null + ] + } + ] + }, + "runAfter": { + "Update_user": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Update_user": { + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD2ConnectionName'))]", + "connectionName": "[variables('AzureAD2ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel2ConnectionName'))]", + "connectionName": "[variables('AzureSentinel2ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD3ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "user@user.com", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureADIP3ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "user@user.com", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel3ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('Playbook3Name')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook3Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Confirm-AADRiskyUser_alert", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD3ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureADIP3ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel3ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User [@{concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix'])}] was confirmed compromised via playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Confirm_a_risky_user_as_compromised": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Confirm_a_risky_user_as_compromised": { + "inputs": { + "body": { + "userIds": [ + "@items('For_each')?['AadUserId']" + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureadip']['connectionId']" + } + }, + "method": "post", + "path": "/beta/riskyUsers/confirmCompromised" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD3ConnectionName'))]", + "connectionName": "[variables('AzureAD3ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azureadip": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADIP3ConnectionName'))]", + "connectionName": "[variables('AzureADIP3ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel3ConnectionName'))]", + "connectionName": "[variables('AzureSentinel3ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD4ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureAD4ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureADIP4ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureADIP4ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel4ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinel4ConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook4Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Confirm-AADRiskyUser", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD4ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureADIP4ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel4ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User [@{concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix'])}] was confirmed compromised via playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Confirm_a_risky_user_as_compromised": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Confirm_a_risky_user_as_compromised": { + "inputs": { + "body": { + "userIds": [ + "@items('For_each')?['AadUserId']" + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureadip']['connectionId']" + } + }, + "method": "post", + "path": "/beta/riskyUsers/confirmCompromised" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD4ConnectionName'))]", + "connectionName": "[variables('AzureAD4ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azureadip": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADIP4ConnectionName'))]", + "connectionName": "[variables('AzureADIP4ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel4ConnectionName'))]", + "connectionName": "[variables('AzureSentinel4ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ], + "outputs": { + "Playbook1triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook1Name'), 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'), '2016-06-01').value]" + }, + "Playbook1LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook1Name'))]" + }, + "Playbook2triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook2Name'), 'When_Azure_Sentinel_incident_creation_rule_was_triggered'), '2016-06-01').value]" + }, + "Playbook2LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook2Name'))]" + }, + "Playbook3triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook3Name'), 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'), '2016-06-01').value]" + }, + "Playbook3LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook3Name'))]" + }, + "Playbook4triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook4Name'), 'When_Azure_Sentinel_incident_creation_rule_was_triggered'), '2016-06-01').value]" + }, + "Playbook4LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook4Name'))]" + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json b/src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json new file mode 100644 index 000000000000..59652581ef84 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Playbook1Name": { + "value": "Block-AADUser-Alert" + }, + "Playbook2Name": { + "value": "Block-AADUser-Incident" + }, + "Playbook3Name": { + "value": "Confirm-AADRiskyUser-Alert" + }, + "Playbook4Name": { + "value": "Confirm-AADRiskyUser-Incident" + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/sourceControl/template.json b/src/SecurityInsights/test/deployment-templates/sourceControl/template.json new file mode 100644 index 000000000000..fb215c145101 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/sourceControl/template.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sourceControlId": { + "defaultValue": "sourceControlId", + "type": "string" + }, + "sourceControlName": { + "defaultValue": "sourceControlName", + "type": "string" + }, + "url": { + "defaultValue": "url", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/sourcecontrols", + "apiVersion": "2021-03-01-preview", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('sourceControlId'))]", + "properties": { + "contentTypes": [ + "Parser", + "AnalyticsRule", + "AutomationRule", + "HuntingQuery", + "Playbook", + "Workbook" + ], + "displayName": "[parameters('sourceControlName')]", + "repository": { + "branch": "master", + "url": "[parameters('url')]" + }, + "repoType": "GitHub" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json b/src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json new file mode 100644 index 000000000000..4b4fec459bc9 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sourceControlId": { + "value": "f37698f7-ff0b-48ae-8876-3a817069722c" + }, + "sourceControlName": { + "value": "GetsourceControl1gabnr" + }, + "url": { + "value": "https://github.com/dicolanl/gettest" + }, + "workspaceName": { + "value": "asptestk9wyb8" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json new file mode 100644 index 000000000000..0e244d5176dd --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "threatIntelligenceIndicatorId": { + "defaultValue": "threatIntelligenceIndicatorId", + "type": "string" + }, + "threatIntelligenceIndicatorName": { + "defaultValue": "threatIntelligenceIndicatorName", + "type": "string" + }, + "threatIntelligenceIndicatorDate": { + "defaultValue": "threatIntelligenceIndicatorDate", + "type": "string" + }, + "ip": { + "defaultValue": "ip", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": { + "ipPattern": "[concat('[ipv4-addr:value = ''', parameters('ip'), ''']')]" + }, + "resources": [ + { + "id": "", + "type": "Microsoft.OperationalInsights/workspaces/providers/threatIntelligence/main/indicators", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/threatIntelligence/main/', parameters('threatIntelligenceIndicatorId'))]", + "kind": "indicator", + "properties": { + "confidence": 0, + "threatTypes": [ + "unknown" + ], + "displayName": "[parameters('threatIntelligenceIndicatorName')]", + "pattern": "[variables('ipPattern')]", + "patternType": "ipv4-addr", + "revoked": false, + "validFrom": "[parameters('threatIntelligenceIndicatorDate')]", + "validUntil": null, + "source": "Azure Sentinel", + "threatIntelligenceTags": [] + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json new file mode 100644 index 000000000000..846e6a1c0a3d --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "threatIntelligenceIndicatorId": { + "value": "05df7de8-16b9-4b58-a76a-6aafb8a9932a" + }, + "threatIntelligenceIndicatorName": { + "value": "UpdateViaIdthreatIntelligenceIndicatorol6dht" + }, + "threatIntelligenceIndicatorDate": { + "value": "Sun, 12 Dec 2021 01:00:00 GMT" + }, + "ip": { + "value": "8.8.8.5" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/workspace/template.json b/src/SecurityInsights/test/deployment-templates/workspace/template.json new file mode 100644 index 000000000000..f36211aa175e --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/workspace/template.json @@ -0,0 +1,139 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "defaultValue": "asps", + "type": "String" + }, + "newOnboardingStateWS": { + "defaultValue": "asps", + "type":"string" + }, + "removeOnboardingStateWS": { + "defaultValue": "asps", + "type":"string" + } + }, + "variables": { + }, + "resources": [ + { + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "properties": { + "retentionInDays": 90, + "features": { + "immediatePurgeDataOn30Days": true + }, + "sku": { + "name": "PerGB2018" + } + } + }, + { + "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]" + }, + "plan": { + "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]", + "product": "OMSGallery/SecurityInsights", + "publisher": "Microsoft", + "promotionCode": "" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/onboardingStates", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/default')]", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "customerManagedKey": false + } + }, + { + "name": "[parameters('newOnboardingStateWS')]", + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "properties": { + "retentionInDays": 90, + "features": { + "immediatePurgeDataOn30Days": true + }, + "sku": { + "name": "PerGB2018" + } + } + }, + { + "name": "[parameters('removeOnboardingStateWS')]", + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "properties": { + "retentionInDays": 90, + "features": { + "immediatePurgeDataOn30Days": true + }, + "sku": { + "name": "PerGB2018" + } + } + }, + { + "name": "[concat('SecurityInsights','(', parameters('removeOnboardingStateWS'),')')]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('removeOnboardingStateWS'))]" + ], + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('removeOnboardingStateWS'))]" + }, + "plan": { + "name": "[concat('SecurityInsights','(', parameters('removeOnboardingStateWS'),')')]", + "product": "OMSGallery/SecurityInsights", + "publisher": "Microsoft", + "promotionCode": "" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/onboardingStates", + "name": "[concat(parameters('removeOnboardingStateWS'),'/Microsoft.SecurityInsights/default')]", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('removeOnboardingStateWS'))]" + ], + "properties": { + "customerManagedKey": false + } + } + ], + "outputs": { + "workspaceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-11-01-preview').customerId]" + }, + "workspaceKey": { + "type": "string", + "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-11-01-preview').primarySharedKey]" + }, + "workspaceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json b/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json new file mode 100644 index 000000000000..8a59f12eb8a6 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "value": "asptest8xu4wd" + }, + "newOnboardingStateWS": { + "value": "asptest0u4c9l" + }, + "removeOnboardingStateWS": { + "value": "asptestdlvh1s" + } + } +} diff --git a/src/SecurityInsights/test/env.json b/src/SecurityInsights/test/env.json new file mode 100644 index 000000000000..306ab0c29c22 --- /dev/null +++ b/src/SecurityInsights/test/env.json @@ -0,0 +1,184 @@ +{ + "RemoveincidentRelationIncidentId": "0c5dc585-a174-461c-a546-75dc9d7bedc8", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkName5modef", + "mlRuleGuid": "02874339-f9a1-4ced-bdaf-44b3d8eb57a6", + "GetincidentRelationId": "0ef2e445-e524-42ad-8810-fdd6cbe3e5f7", + "RemoveBookmarkRelationIncidentId": "4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1", + "RemoveViaIdAlertRuleActionId": "49c62647-0f89-442a-8fc1-76a2159daa80", + "RemoveBookmarkRelationName": "RemovebookmarkRelationfmks41", + "UpdateViaIdBookmarkRelationId": "e2e68737-82b4-49f0-822f-f9196f65aac8", + "RemoveViaIdBookmarkRelationId": "e6624397-ccd0-42fd-98b4-9730d7baa0e2", + "Playbook2TriggerUrl": "https://prod-29.centralus.logic.azure.com:443/workflows/10ed265c78bd4fdebbf4cf7fdd6e38ba/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=WpCBTIF6vR0G4L8RL36ZRYDJMKOOuGTaIH8RSwMqpqM", + "UpdateincidentCommentIncidentId": "4d88d68e-1a03-4287-b8d2-919981228c5c", + "RemoveentityQueryActivityName": "RemoveentityQueryActivity6ci45u", + "GetentityQueryActivityId": "1a4fe801-0031-4965-a4a1-5c68929b6d76", + "GetalertRuleActionRuleId": "453b8e9c-424a-4b50-8c6d-58de856d5abf", + "RemoveViaIdbookmarkRelationBookmarkId": "675541b3-2ae4-4199-b3b3-59f4b6c1f5b4", + "RemoveViaIdincidentCommentId": "97010b56-8d45-49b6-9f11-02d55ed685b8", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentoq4cge", + "UpdateBookmarkRelationIncidentId": "e788124d-3280-4da8-b9f7-3f464296947e", + "UpdateBookmarkName": "Updatebookmarktfriza", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamehqlcfb", + "RemoveViaIdincidentCommentIncidentId": "754fd7ba-74d1-42cc-8aa0-25593496d4bd", + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulezi05h4", + "GetBookmarkRelationId": "4a09f636-6002-4389-80a1-b6a357af8225", + "UpdateincidentRelationIncidentId": "473aa008-13fc-4a61-9ea2-c3fdc64a828c", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentNameyci6fv", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNames3ckzp", + "RemoveincidentRelationId": "969e8896-2438-40e6-9455-f5fd9b30d396", + "UpdateViaIdentityQueryActivityId": "fb33bcbe-0bc0-433f-9910-e474dbfab616", + "workspaceResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd", + "RemoveViaIdincidentRelationId": "827874ba-8b75-40d5-ad61-57fbb9594309", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRuledgk4wi", + "Playbook4LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "UpdateViaIdAlertRuleId": "6dde1054-1a0b-4c5a-a9a8-3587c76613a2", + "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", + "RemoveAutomationRuleId": "a3adc54b-e32d-4c80-8af2-988f5d59f102", + "GetincidentRelationIncidentId": "e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0", + "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", + "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorows6tu", + "RemoveincidentRelationBookmarkId": "ee0bcd82-8a83-41c3-8f97-9502c91951ec", + "GetthreatIntelligenceIndicatorIP": "8.8.8.1", + "GetAlertRuleActionId": "1ce91c05-b6a4-4476-9e83-4df36d224e97", + "UpdateincidentCommentName": "UpdateincidentCommentjmgwit", + "GetincidentRelationBookmarkId": "21e8e280-fe09-4a83-a662-4b0711e9c127", + "GetBookmarkRelationIncidentId": "69e3141d-30e8-49d1-9152-33f3b44cf6b0", + "RemoveBookmarkRelationId": "adad6e56-9f94-4fba-ba3b-96f4616cdf68", + "RemoveViaIdentityQueryActivityId": "f75cff94-cd35-4d3e-a20b-4c4eee51dd8e", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamerey7av", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmark061i4x", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRule1whyd4", + "RemoveBookmarkName": "Removebookmarkorux9k", + "UpdateincidentRelationId": "defc1116-f142-4647-a377-6869110f6e77", + "RemoveViaIdthreatIntelligenceIndicatorId": "b37ddba1-7a4f-1feb-9959-e1161d3bf335", + "ExpandBookmarkName": "Expandbookmarkq42uhy", + "UpdateAlertRuleId": "98981b11-0c0a-40bb-adc9-63f3693592bf", + "UpdateViaIdAutomationRuleId": "61701d90-8353-4d61-b435-f9905a31142d", + "RemoveViaIdAlertRuleId": "952fd6df-a3b8-4d0c-825a-53dcc519a480", + "RemoveincidentCommentIncidentId": "39c0047a-27bf-41d3-940d-bfb849d18460", + "ExpandBookmarkId": "b35d430d-02ac-4025-a10e-32cd2ffbe46b", + "GetAutomationRuleId": "34534660-0566-46ea-98f2-4f5ff70d51e4", + "RemovebookmarkRelationBookmarkId": "20d8a730-18a5-4a76-9420-a32e46ce5888", + "UpdateViaIdincidentId": "85b206c3-bf60-48e0-b492-71a79bb8503a", + "UpdateViaIdincidentRelationIncidentId": "43aedae6-3726-41c1-b0e8-9876df66aa2d", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRule62imtb", + "UpdateBookmarkId": "c6b3fee2-4b8e-4966-aaa7-94bd47e67021", + "RemoveentityQueryActivityId": "6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmark63g7uz", + "disabledRuleGuid": "10a698ca-8310-4b90-a86e-2f43fe285e56", + "updateDataConnectorId": "b4b8bb52-2917-4179-a28d-fb197dc52aa6", + "Playbook4TriggerUrl": "https://prod-03.centralus.logic.azure.com:443/workflows/b350a92d152342fb8f3b1a63b7a0df71/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=K2SOIlHPdarAt8bekyIFV4MNNTS2APO1E1EZrN2hmns", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamehynb4o", + "UpdateincidentRelationName": "UpdateincidentRelationNamesk65ol", + "GetthreatIntelligenceIndicatorId": "711bdb9e-2ecc-abba-d962-171ce4710199", + "RemoveincidentCommentName": "RemoveincidentCommentmhcwg3", + "RemoveAutomationRule": "RemoveAutomationRule0cjsva", + "UpdateAutomationRule": "UpdateAutomationRule1ceigy", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentComment8ftdy3", + "UpdateViaIdincidentCommentIncidentId": "aa0c1725-78eb-4c1e-87b8-9dd801ebf670", + "GetAutomationRule": "GetAutomationRulezbilmf", + "UpdateentityQueryActivityId": "64feba96-1f57-4f3d-8068-a1532ed4e2dc", + "GetincidentRelationName": "GetincidentRelationNamek8m1ts", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNameymswnj", + "UpdateBookmarkRelationId": "3106728c-12de-4dad-b0c6-603a9285765e", + "UpdateViaIdthreatIntelligenceIndicatorId": "e43bf713-da7f-8329-80bb-e1556c70abdd", + "UpdateViaIdalertRuleActionRuleId": "a555c523-e318-4501-bfe8-b9c6da354af7", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNameq9l2gm", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkNamehd50fa", + "location": "Central US", + "GetentityQueryActivityName": "GetentityQueryActivity6pi5by", + "RemoveViaIdincidentName": "RemoveViaIdincidentt6k39e", + "workspaceName": "asptest8xu4wd", + "RemoveViaIdincidentRelationIncidentId": "7bfb344d-ad2a-431d-9e39-78747ac51f54", + "UpdatebookmarkRelationBookmarkId": "6548e330-d18d-4690-b6fa-b5ba7f5eac27", + "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", + "UpdateViaIdBookmarkId": "e19c0b42-e8cf-4fae-8690-7d632b11beaf", + "GetAlertRuleId": "aa4274ad-8144-44e6-8dc2-669dc0b5ea0d", + "RemoveViaIdincidentRelationBookmarkId": "3dcbfb4e-d6fb-40df-a64a-29695148826d", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivity4n9kre", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameib8ohc", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatorol6dht", + "UpdateincidentRelationBookmarkId": "201247f4-bb20-4a3b-8e89-3609968c888f", + "GetAlertRuleName": "GetAlertRulez4ros0", + "UpdatethreatIntelligenceIndicatorId": "857acee8-b9d5-9c49-56c4-93496d0bf3bf", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivityt6dc5y", + "RemoveViaIdalertRuleActionRuleId": "a2dda58f-98fd-44db-ac37-397a9ccd9e25", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNametdo819", + "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6", + "RemoveViaIdincidentId": "1f88da2c-e158-4900-8d6e-a467f72fdd34", + "UpdateViaIdincidentRelationId": "b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4", + "RemovealertRuleActionRuleId": "3e459759-acb2-48cd-b091-f325a2618fb6", + "UpdateincidentId": "23dc6b0b-2413-4b21-94b3-242f576b73c2", + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentNameewut32", + "RemovethreatIntelligenceIndicatorId": "ccfb7869-be18-0f44-ff2c-a9b36e598fd1", + "newOnboardingStateWS": "asptest0u4c9l", + "UpdateViaIdincidentCommentId": "c3bc7c2d-a384-4bb5-8fde-e2ee44fc18be", + "UpdateincidentCommentId": "2e3b2f73-ae6b-4e88-be17-6fd85a9400ee", + "RemoveViaIdAutomationRuleId": "37a50acc-05b0-41ad-be1d-7a53c88ff383", + "GetincidentCommentId": "1b475d8b-b763-4d91-9dc9-c2125a6531e9", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamebtlx8k", + "UpdatealertRuleActionRuleId": "09b5716f-9b0b-4663-8302-e17b94a12ead", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator9tg8p7", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleName1lirvu", + "RemoveAlertRuleId": "fdbab4a1-bd45-4dc1-a93b-e4aa20d16262", + "RemoveBookmarkId": "9ff7b322-3212-4574-bfad-4408206875f8", + "RemoveViaIdBookmarkRelationIncidentId": "7d56a89d-59f4-4b3a-aa71-34494c2f5f5c", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamea13fz8", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentNamerea364", + "Tenant": "5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkNamewqmnkf", + "UpdateAutomationRuleId": "6b61f56c-c075-4127-9f2a-56a855dee096", + "GetincidentCommentIncidentId": "03f0e7ca-255a-49dc-a98d-19f65584d06c", + "UpdateBookmarkRelationName": "UpdatebookmarkRelationg84prd", + "RemoveViaIdBookmarkId": "4327ac2f-6115-4602-9616-83cf991298a5", + "UpdateAlertRuleName": "UpdateAlertRulevi15sc", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentName150wxv", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatornqcsd9", + "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", + "RemoveincidentId": "cc0a7c84-b29b-4136-acbb-648a7237df0a", + "GetbookmarkRelationBookmarkId": "5df694bf-7774-49cf-a84b-282fd43a926b", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamepvhuk4", + "GetBookmarkRelationName": "GetbookmarkRelationt8sg7i", + "UpdateentityQueryActivityName": "UpdateentityQueryActivity1ewg7d", + "GetBookmarkName": "Getbookmark3k6sjz", + "Playbook3LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "GetincidentId": "853e143c-97fd-48f1-86df-c8a68dbb87f1", + "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", + "UpdateAlertRuleActionId": "5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf", + "UpdateViaIdincidentName": "UpdateViaIdincident1anj4u", + "GetBookmarkId": "6eca09df-59e8-44f1-b96e-d316b4d3ad08", + "Playbook1LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleName1539nb", + "resourceGroupName": "aspstest91v7fr", + "removeOnboardingStateWS": "asptestdlvh1s", + "RemoveincidentRelationName": "RemoveincidentRelationNamewlc2fd", + "solarigateRuleGuid": "af03fc0e-d33f-447a-8397-d60726aa92c5", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameuk6d50", + "Playbook2LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "Playbook1TriggerUrl": "https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ", + "UpdateViaIdBookmarkRelationIncidentId": "6cbc4e33-d46b-4993-96e4-ecb0e44415cb", + "bookmarkExpansionId": "29d93f68-3f52-46b9-960c-ca3ea7bb8fa2", + "GetincidentCommentName": "GetincidentComment48q5k9", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNamexlrb8u", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNamecawzes", + "RemoveAlertRuleName": "RemoveAlertRulesuagz6", + "RemoveincidentName": "Removeincidentwy9zj7", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationxgibse", + "UpdateincidentName": "Updateincident59odxy", + "RemoveAlertRuleActionId": "d359018e-774c-4345-aad4-eaf449a72b0c", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationy7rd6c", + "UpdateViaIdincidentRelationBookmarkId": "f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicator2c47h8", + "RemoveincidentCommentId": "2305a5f7-84eb-482c-bc88-33d76495c69c", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamepuj3oy", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkName72z1my", + "Playbook3TriggerUrl": "https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo", + "dataConnectorId": "88da8507-46cb-4c34-9cf3-189e58b34c9e", + "GetincidentName": "Getincidentj0bimh", + "UpdateViaIdbookmarkRelationBookmarkId": "463b2e8b-17c1-48d6-94a3-7443b0ba2cbf", + "UpdateViaIdAlertRuleActionId": "34ec4b87-3f90-443e-9034-c32e77c5fb6e", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentName84x0ne", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamezks1qr", + "workspaceId": "04acdb04-b6a1-4292-a956-621f955f6a5f" +} diff --git a/src/SecurityInsights/test/loadEnv.ps1 b/src/SecurityInsights/test/loadEnv.ps1 new file mode 100644 index 000000000000..5f079e89615e --- /dev/null +++ b/src/SecurityInsights/test/loadEnv.ps1 @@ -0,0 +1,29 @@ +# ---------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# Code generated by Microsoft (R) AutoRest Code Generator.Changes may cause incorrect behavior and will be lost if the code +# is regenerated. +# ---------------------------------------------------------------------------------- +$envFile = 'env.json' +if ($TestMode -eq 'live') { + $envFile = 'localEnv.json' +} + +if (Test-Path -Path (Join-Path $PSScriptRoot $envFile)) { + $envFilePath = Join-Path $PSScriptRoot $envFile +} else { + $envFilePath = Join-Path $PSScriptRoot '..\$envFile' +} +$env = @{} +if (Test-Path -Path $envFilePath) { + $env = Get-Content (Join-Path $PSScriptRoot $envFile) | ConvertFrom-Json + $PSDefaultParameterValues=@{"*:SubscriptionId"=$env.SubscriptionId; "*:Tenant"=$env.Tenant} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/localEnv.json b/src/SecurityInsights/test/localEnv.json new file mode 100644 index 000000000000..e962799eccb0 --- /dev/null +++ b/src/SecurityInsights/test/localEnv.json @@ -0,0 +1,184 @@ +{ + "RemoveincidentName": "Removeincidentqlkgre", + "RemoveViaIdAutomationRuleId": "28b2a84c-15cb-4489-9653-060065dbb994", + "location": "Central US", + "ExpandBookmarkName": "Expandbookmarkt9lrd1", + "UpdateViaIdBookmarkRelationId": "e178d52f-0000-42ae-85a9-b4097cfa102f", + "UpdateBookmarkRelationIncidentId": "7333ddd9-da05-4e39-9e33-cb6891c08c0e", + "RemoveBookmarkName": "Removebookmarkcnu6jz", + "disabledRuleGuid": "7b87d568-20ef-40f8-b4f6-7b7815d1ae1c", + "UpdateincidentCommentIncidentId": "31707c99-9240-4185-9a17-f045c1d97e5d", + "GetincidentRelationBookmarkId": "8fdf4085-d70b-4f42-bc52-3247c106ec22", + "RemoveViaIdBookmarkId": "f2b22ba6-000a-4cf0-9d11-07bfd7105b2d", + "UpdateViaIdAutomationRuleId": "98d8b78a-ca81-4ced-bd2d-41f061158847", + "GetBookmarkRelationIncidentId": "c50576c1-8ae5-4d69-9c84-51b915442aee", + "Tenant": "5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationjkmlgd", + "GetBookmarkRelationId": "8982fd8b-83e6-45e0-9799-5868e0cb905f", + "GetincidentRelationId": "5eaf5909-4185-448d-bad3-ceb48bac3a74", + "GetbookmarkRelationBookmarkId": "23fd78f1-f483-4745-8108-a825fc54c668", + "GetthreatIntelligenceIndicatorId": "d1b1f160-d4aa-355f-8b9e-597adc93450a", + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulezkfopl", + "workspaceResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.OperationalInsights/workspaces/asptesttb8qd4", + "UpdateBookmarkRelationName": "UpdatebookmarkRelation6vhqpe", + "RemovethreatIntelligenceIndicatorId": "1b395a61-f885-1ab0-0a09-95821fa26aa7", + "GetBookmarkRelationName": "GetbookmarkRelationlfse2c", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamelmuts7", + "UpdateViaIdincidentRelationBookmarkId": "4b202976-d8f7-494a-a224-39d45b7d0cff", + "RemoveViaIdbookmarkRelationBookmarkId": "594263e9-423e-4092-8ae8-0583423e4c8d", + "GetincidentCommentName": "GetincidentCommentgxebuw", + "RemoveAlertRuleActionId": "633b140d-ca59-4a48-8f9f-cd43f9b73261", + "GetalertRuleActionRuleId": "f101d542-c309-4567-a2e9-1cc325569b5d", + "UpdateViaIdthreatIntelligenceIndicatorId": "f030be42-7bcf-82fe-9fff-c79d02081c70", + "Playbook2TriggerUrl": "https://prod-31.centralus.logic.azure.com:443/workflows/fb7bc41bf47343e4b8f00f55feb90295/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=ZKfu53ftc6aVUBP7k9OzIY94f_-0lHaxyi8eXboRHLQ", + "GetAutomationRule": "GetAutomationRuleuym980", + "resourceGroupName": "aspstestsxeqa6", + "solarigateRuleGuid": "2cb844f2-371c-4d04-aa0f-da7d8c1da714", + "UpdateincidentCommentId": "3cdc19ee-8fa9-4af7-9007-1d26a715c4c6", + "UpdateBookmarkId": "db7538eb-c83f-4329-86cf-52fc5c72aa6a", + "UpdateBookmarkRelationId": "848acdc1-cbf2-4cb5-841a-9c4e5cd18316", + "RemoveincidentRelationIncidentId": "c3d6462a-4906-4fdf-b6cd-f2bceb154012", + "Playbook4LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "UpdateViaIdincidentRelationIncidentId": "787c7546-c409-4fc6-8557-970600748338", + "UpdateincidentRelationId": "30d3137c-ca38-42fb-b1d1-dd26231c3464", + "ExpandBookmarkId": "89b10d75-fe89-44f5-aed9-bc10efe6885e", + "UpdateentityQueryActivityId": "5b4f4f50-5f46-4e63-8a36-d8dc4174f6cd", + "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationogjnp8", + "GetBookmarkId": "85eabd01-5f4a-4c18-b19f-f56c4dce112e", + "GetincidentCommentIncidentId": "aba444f2-6a0b-4259-b0ab-1980b691b823", + "Playbook2LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "RemoveincidentId": "80072504-9637-4da1-92ee-f7bd513cb295", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNamenvqgmf", + "RemoveBookmarkRelationIncidentId": "a1c3e870-d61c-4937-b209-99f8d995e556", + "UpdateViaIdentityQueryActivityId": "8b85577f-e233-4b0d-aef6-9344ecc571aa", + "RemoveViaIdincidentRelationIncidentId": "5ca2173d-19be-41f5-a77b-a863fccd26ad", + "GetAlertRuleName": "GetAlertRuleyrgq5k", + "RemoveViaIdentityQueryActivityId": "a0cc7385-57ea-4037-ad6c-c9bb037eea5f", + "removeOnboardingStateWS": "asptestocpbvt", + "RemoveentityQueryActivityName": "RemoveentityQueryActivitypr8m91", + "GetincidentRelationIncidentId": "0a92e0ee-c2ec-46ba-972f-477097330ac0", + "mlRuleGuid": "3f4b8ca9-def5-4f66-afd5-2074a5bf0082", + "UpdateincidentName": "Updateincidentz5xmas", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamem0uzno", + "UpdateViaIdalertRuleActionRuleId": "f3992c63-7d9d-4e0b-8721-b9be19a79eec", + "RemoveincidentRelationBookmarkId": "d0aa7348-155b-44c5-a248-3758caa8622b", + "UpdateViaIdAlertRuleActionId": "cdb065bf-5d8c-430d-bdd9-1b19fecaef78", + "UpdateViaIdincidentRelationId": "efe4cdcc-e040-4dba-a14d-f9b79cd060b7", + "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", + "Playbook4TriggerUrl": "https://prod-26.centralus.logic.azure.com:443/workflows/d11ac7194c4a439cbaab4fff7e1c2ad7/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=OR8RFdoiKx_lO0u8Z71Yb-qUgOeDh1feyin0ZppXb3k", + "UpdateAutomationRuleId": "0b3b4818-7e4a-47ea-b1be-3dd02503ce7b", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamep5q8gb", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmarko0bj1a", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNamega43se", + "RemovealertRuleActionRuleId": "2e249e48-e8a7-4e47-b69b-c9d41f751b50", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivitycsp8zk", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicator7odgnj", + "RemoveincidentCommentIncidentId": "ebcc4150-0a62-4c60-8c79-412d61397a0f", + "UpdateAlertRuleId": "bbbec7e8-5e76-4092-b183-9bdf001cc9e7", + "RemoveentityQueryActivityId": "6ed85318-1c68-4b9c-aed6-e721e3bbde9a", + "RemoveViaIdthreatIntelligenceIndicatorId": "712311c9-2f77-f167-7c61-62935fa5d49d", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkName8tclhr", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNameg4jvqn", + "RemoveincidentCommentName": "RemoveincidentCommentchevml", + "RemoveincidentRelationName": "RemoveincidentRelationName81itvb", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNamebak41c", + "UpdateAlertRuleActionId": "020f10bb-9108-40b2-82b8-6c3d96150c24", + "RemoveBookmarkRelationId": "40999731-ca81-45ed-8323-7bdf8c8e0592", + "UpdateViaIdAlertRuleId": "0f2c489b-891e-47fe-a876-28a4dcae7129", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationName1xd3of", + "UpdateincidentRelationBookmarkId": "702d8e66-6c4f-4285-8c54-3064c6713ee7", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRulepb9037", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentu07v8a", + "RemoveViaIdincidentId": "b96b299e-8a07-428c-90e8-a9925726ed45", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicatoret45oy", + "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", + "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e", + "GetincidentCommentId": "6754ad39-2e25-4b61-a931-8797fa4742cf", + "GetthreatIntelligenceIndicatorIP": "8.8.8.1", + "UpdateViaIdincidentCommentId": "7336a21d-525b-43f0-91cc-d58af6ebddcb", + "UpdatebookmarkRelationBookmarkId": "29a94766-52e8-46d4-90aa-3ece020b836a", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentNameh8ixuv", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamev7bxe6", + "RemoveViaIdincidentRelationBookmarkId": "8aa5fa2e-321e-4663-b1bc-1f73d73aedc7", + "RemoveAutomationRuleId": "94ca78d2-0bcf-4f44-aa36-136d40ec8a3a", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNameiux6cn", + "RemoveAlertRuleName": "RemoveAlertRuleiamp95", + "RemoveViaIdincidentRelationId": "fa4ec427-fc28-4926-a0ef-9300313c48e6", + "UpdateViaIdincidentId": "a4fff7db-5896-435a-91b8-4efa9f287eed", + "RemoveViaIdincidentCommentId": "afe1f474-cc63-4c1c-9198-952438781715", + "Playbook3LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "GetincidentRelationName": "GetincidentRelationNameclg6xw", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNamehks4oz", + "Playbook3TriggerUrl": "https://prod-02.centralus.logic.azure.com:443/workflows/0ccd0d021db94a059cff9733217f26dd/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=TOg5dFUmA5ar1zjTL85yE9WzxYlQBcxLOUiUe1LC06w", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkName2xuftl", + "UpdateincidentCommentName": "UpdateincidentCommentlcjsfe", + "GetAutomationRuleId": "967770b5-4642-4d5f-865d-c9cd372c746e", + "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", + "UpdateViaIdincidentCommentIncidentId": "27a64d51-9f07-4451-ae16-976d68857423", + "RemoveBookmarkRelationName": "RemovebookmarkRelation7tspcu", + "Playbook1LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicator0ge1km", + "GetAlertRuleId": "4be22fd3-5d4f-4a29-a527-57f9a2dae2f0", + "GetincidentName": "Getincidentvmrcqe", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamewukm9n", + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentName31yd8e", + "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6", + "UpdateViaIdincidentName": "UpdateViaIdincidentx791sq", + "newOnboardingStateWS": "asptestk42pgv", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRule8whjl7", + "UpdateentityQueryActivityName": "UpdateentityQueryActivityj2x9oy", + "RemoveViaIdincidentName": "RemoveViaIdincidentqrg6vs", + "UpdateincidentRelationName": "UpdateincidentRelationName2xeun0", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRulezk9y4v", + "UpdateViaIdBookmarkRelationIncidentId": "99d13007-8893-437d-b7d7-0c213ae7b3db", + "UpdateincidentRelationIncidentId": "ed0cfad2-f9e9-446c-a1ec-659194145750", + "RemoveBookmarkId": "3871571d-3110-4105-8104-e727f3b4d371", + "GetAlertRuleActionId": "3dd36704-ec12-4d83-87d1-f7e05bb46e26", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivityvwk3a6", + "UpdateViaIdBookmarkId": "18bd8f59-8475-412f-8ac6-5bda97dce895", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamepo9tax", + "GetentityQueryActivityId": "9c01fde5-a458-4564-a710-3ec6afedc6ac", + "GetentityQueryActivityName": "GetentityQueryActivityaw7qsx", + "RemoveViaIdalertRuleActionRuleId": "9bed28fb-87c7-4530-b655-c3dcf14e637e", + "dataConnectorId": "f731f4fd-0336-445f-8672-8196f49236c6", + "RemoveAutomationRule": "RemoveAutomationRule7zhtoe", + "RemoveViaIdAlertRuleActionId": "865181a1-0f22-4a3c-a49f-c5e1af8b42ee", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName1pliw8", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmarkf8byrj", + "RemoveViaIdAlertRuleId": "8b62bd9b-fdaf-4b8e-b141-9a102f054770", + "Playbook1TriggerUrl": "https://prod-08.centralus.logic.azure.com:443/workflows/062a9e68aa874175b8f47d291cb891fc/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=48ORoEBUQ8w7epFI-VcmaNJNq7wu1kfdbI7A-jl267o", + "RemoveincidentRelationId": "09fd1812-cd51-4a0e-b6c8-2c68f4a489d3", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamex28bvi", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatortmcixj", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamep4hb2t", + "RemoveincidentCommentId": "927c5e0d-139f-4446-8ee5-27b139498267", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentksd6cw", + "UpdateincidentId": "4f96f5d6-22c7-4ec1-bde0-da5502846eee", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicatorcmxphj", + "UpdateViaIdbookmarkRelationBookmarkId": "ccb53d45-5a9c-4b72-a88e-fe90158d9642", + "RemoveViaIdincidentCommentIncidentId": "c8c2adc7-50aa-4ee7-9c90-972f547b0a19", + "UpdateBookmarkName": "Updatebookmarkt1wq40", + "UpdateAutomationRule": "UpdateAutomationRulen6cw3k", + "UpdatethreatIntelligenceIndicatorId": "aeb7c6c3-fb45-61a6-9453-d69f7e98ffa6", + "bookmarkExpansionId": "b6c6ba8e-3173-4784-b4d7-50d9c5dad904", + "GetBookmarkName": "Getbookmark2ywan5", + "UpdatealertRuleActionRuleId": "a4d250d6-460c-417a-952d-4c50f444165b", + "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", + "RemovebookmarkRelationBookmarkId": "0fa74f90-4c76-4ba4-8ced-42557229bb0e", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkNameyduxnr", + "workspaceName": "asptesttb8qd4", + "GetincidentId": "8701f6ec-cf8f-4c11-84dd-bc6c82d87a6e", + "RemoveViaIdBookmarkRelationId": "4d7b81af-e639-4a95-b5a4-21fc4418c656", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleName94evnz", + "workspaceId": "e6526ca0-d207-42ee-b3ad-2f9bac77f370", + "updateDataConnectorId": "ceed24f3-9d49-446f-905f-be0edd531832", + "RemoveAlertRuleId": "524a0399-9e2c-4e79-9a72-c870910c6330", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentNamelf0hcd", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleNamexc0get", + "UpdateAlertRuleName": "UpdateAlertRulegi5cnk", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameb4xl1t", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameedqyn4", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentName27k90i", + "RemoveViaIdBookmarkRelationIncidentId": "2c25ce36-be91-424b-9681-ae377e825b16" +} diff --git a/src/SecurityInsights/test/sampleData/AuditLogs.csv b/src/SecurityInsights/test/sampleData/AuditLogs.csv new file mode 100644 index 000000000000..25a470ed95a0 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/AuditLogs.csv @@ -0,0 +1,6 @@ +OperationName,TenantId,AADTenantId,ActivityDateTime,ResourceId,CorrelationId,SourceSystem,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AdditionalDetails,Id,InitiatedBy,LoggedByService,Result,ResultReason,TargetResources,ActivityDisplayName,AADOperationType,Type +Update application – Certificates and secrets management ,,,,,9cee9603-bca7-4e62-9634-f1bfdc39ca2f,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62"",""key"":""User-Agent""}]",Directory_9cee9603-bca7-4e62-9634-f1bfdc39ca2f_1261B_35670955,"{""user"":{""displayName"":null,""userPrincipalName"":""victim@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""45.153.160.2"",""roles"":[],""id"":""34070915-82ff-492a-801f-e90484e79248""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\""]"",""newValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\"",\""[KeyIdentifier=11ca002d-d846-4692-8e1f-501db99f485a,KeyType=Password,KeyUsage=Verify,DisplayName=key 2]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""purview-spn-user099"",""type"":""Application"",""id"":""020c2630-81fb-5678-9a9c-ce9984a45458""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,05cb7360-e689-4ce0-ba41-90aea748f764,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62"",""key"":""User-Agent""}]",Directory_05cb7360-e689-4ce0-ba41-90aea748f764_40B6F_20567843,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""192.168.5.8"",""roles"":[],""id"":""04dc7a40-2617-4044-b6e7-fdd8771b88a2""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=1714a3cf-c8dc-40e6-bc2a-fdfaf55baf42,KeyType=Password,KeyUsage=Verify,DisplayName=PurviewAppAccess]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp01"",""type"":""Application"",""id"":""a05db9f5-91e6-4bba-xxxx-cf38984e89fc""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,c12b4df2-9263-4f72-aeac-a0947ee77886,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_c12b4df2-9263-4f72-aeac-a0947ee77886_T6RO5_48034739,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""185.20.35.69"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=8c123b9d-31e6-4f50-a21f-88eabc8857e5,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp02"",""type"":""Application"",""id"":""a9929be8-b429-4918-ab41-0604fc9356b4""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,eb556ded-81df-427f-9552-e9a7161db0de,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_eb556ded-81df-427f-9552-e9a7161db0de_DZ0PK_68632943,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""33.88.24.12"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=bd3aa4f4-0737-42be-8506-1d2378a2ff0b,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp03"",""type"":""Application"",""id"":""20bdf178-f471-41bd-936f-2d4e0970b66c""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,61576753-576a-47ba-8c1c-69047fd50427,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_61576753-576a-47ba-8c1c-69047fd50427_UETZH_76356316,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""172.19.53.7"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=a9d6190a-ee00-45ba-9975-4fa0b00bd4f4,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp04"",""type"":""Application"",""id"":""b89ea4f7-3fb2-4731-b1cf-a4ee5d5624b9""}]",Update application – Certificates and secrets management ,Update,AuditLogs diff --git a/src/SecurityInsights/test/sampleData/AzureAcitivity.csv b/src/SecurityInsights/test/sampleData/AzureAcitivity.csv new file mode 100644 index 000000000000..c959ee300bcb --- /dev/null +++ b/src/SecurityInsights/test/sampleData/AzureAcitivity.csv @@ -0,0 +1,1232 @@ +TenantId,SourceSystem,CallerIpAddress,CategoryValue,CorrelationId,Authorization,Authorization_d,Claims,Claims_d,Level,OperationNameValue,Properties,Properties_d,Caller,EventDataId,EventSubmissionTimestamp [UTC],HTTPRequest,OperationId,ResourceGroup,ResourceProviderValue,ActivityStatusValue,ActivitySubstatusValue,Hierarchy,TimeGenerated,SubscriptionId,OperationName,ActivityStatus,ActivitySubstatus,Category,ResourceId,ResourceProvider,Resource,Type,_ResourceId +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,a2bba39a-d17f-404d-9919-e59039e73ad4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""action"": ""Microsoft.Web/sites/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"",""action"":""Microsoft.Web/sites/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""nbf"":""1619619948"",""exp"":""1619623848"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/SITES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""message"": ""Microsoft.Web/sites/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""6f5ca24c-de95-451a-b91e-7a7ab209c28b"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:32:14.0298107Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""okta-new"", + ""resourceGroup"": ""SENTINEL-MAINRG"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"",""message"":""Microsoft.Web/sites/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""6f5ca24c-de95-451a-b91e-7a7ab209c28b"",""eventSubmissionTimestamp"":""2021-04-28T14:32:14.0298107Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""okta-new"",""resourceGroup"":""SENTINEL-MAINRG"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,6f5ca24c-de95-451a-b91e-7a7ab209c28b,"4/28/2021, 2:32:14.029 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINEL-MAINRG,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:32:14.029 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinel-mainrg/providers/microsoft.web/sites/okta-new +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,22c5c3ad-e049-48b1-be62-19076302c6e4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""action"": ""Microsoft.SecurityInsights/alertRules/write"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"",""action"":""Microsoft.SecurityInsights/alertRules/write"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""nbf"":""1619619948"",""exp"":""1619623848"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,"{ + ""statusCode"": ""Created"", + ""serviceRequestId"": null, + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""message"": ""Microsoft.SecurityInsights/alertRules/write"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""ce96bc52-0093-49aa-af81-f1d22a72e6f0"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:35:00.6739282Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""resourceGroup"": ""SENTINELYANIVSH"", + ""resourceProviderValue"": ""MICROSOFT.OPERATIONALINSIGHTS"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""Created"" +}","{""statusCode"":""Created"",""serviceRequestId"":null,""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"",""message"":""Microsoft.SecurityInsights/alertRules/write"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""ce96bc52-0093-49aa-af81-f1d22a72e6f0"",""eventSubmissionTimestamp"":""2021-04-28T14:35:00.6739282Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"",""resourceGroup"":""SENTINELYANIVSH"",""resourceProviderValue"":""MICROSOFT.OPERATIONALINSIGHTS"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success"",""activitySubstatusValue"":""Created""}",AdeleV@M365x816222.OnMicrosoft.com,ce96bc52-0093-49aa-af81-f1d22a72e6f0,"4/28/2021, 2:35:00.673 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINELYANIVSH,MICROSOFT.OPERATIONALINSIGHTS,Success,Created,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:35:00.673 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinelyanivsh/providers/microsoft.operationalinsights/workspaces/centricdemo/providers/microsoft.securityinsights/alertrules/017c0f30-87ea-4ab0-802a-51def37b0721 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/CUSTOMAPIS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/customApis/Resilent"", + ""message"": ""Microsoft.Web/customApis/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""a2594dff-d22d-42c1-b1e7-37184a3f0683"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:00.317969Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""resilent"", + ""resourceGroup"": ""BTPOC"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/customApis/Resilent"",""message"":""Microsoft.Web/customApis/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""a2594dff-d22d-42c1-b1e7-37184a3f0683"",""eventSubmissionTimestamp"":""2021-04-28T14:44:00.3179690Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""resilent"",""resourceGroup"":""BTPOC"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,a2594dff-d22d-42c1-b1e7-37184a3f0683,"4/28/2021, 2:44:00.317 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:00.317 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc/providers/microsoft.web/customapis/resilent +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,b62b273a-d336-4ead-b1ac-223f3220e772,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""5027afa0-8274-40bd-84fc-8652c20e259d"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:47.6410254Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""oneloginlogs1234"", + ""resourceGroup"": ""GBB01"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""5027afa0-8274-40bd-84fc-8652c20e259d"",""eventSubmissionTimestamp"":""2021-04-28T14:42:47.6410254Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""oneloginlogs1234"",""resourceGroup"":""GBB01"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,5027afa0-8274-40bd-84fc-8652c20e259d,"4/28/2021, 2:42:47.641 PM","{""clientIpAddress"":""37.142.150.162""}",,GBB01,MICROSOFT.KEYVAULT,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:47.641 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/gbb01/providers/microsoft.keyvault/vaults/oneloginlogs1234 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,b62b273a-d336-4ead-b1ac-223f3220e772,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""statusCode"": ""OK"", + ""serviceRequestId"": ""c1c4dc22-3b83-4b2e-ae58-1a829989b8e4"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""63139859-0aaf-474c-98b9-ed18b7d4b6a7"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:51.9161118Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""oneloginlogs1234"", + ""resourceGroup"": ""GBB01"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""OK"" +}","{""statusCode"":""OK"",""serviceRequestId"":""c1c4dc22-3b83-4b2e-ae58-1a829989b8e4"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""63139859-0aaf-474c-98b9-ed18b7d4b6a7"",""eventSubmissionTimestamp"":""2021-04-28T14:42:51.9161118Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""oneloginlogs1234"",""resourceGroup"":""GBB01"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success"",""activitySubstatusValue"":""OK""}",AdeleV@M365x816222.OnMicrosoft.com,63139859-0aaf-474c-98b9-ed18b7d4b6a7,"4/28/2021, 2:42:51.916 PM","{""clientIpAddress"":""37.142.150.162""}",,GBB01,MICROSOFT.KEYVAULT,Success,OK,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:51.916 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/gbb01/providers/microsoft.keyvault/vaults/oneloginlogs1234 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,a2bba39a-d17f-404d-9919-e59039e73ad4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""action"": ""Microsoft.Web/sites/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""evidence"":{""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalType"":""User"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""role"":""Contributor""},""action"":""Microsoft.Web/sites/delete"",""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new""}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""xms_tcdt"":""1591748537"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""nbf"":""1619619948"",""exp"":""1619623848"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""puid"":""10032000C757D25F""}",,MICROSOFT.WEB/SITES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""message"": ""Microsoft.Web/sites/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""b925d0cb-46c9-450e-9f6d-4fbf69a34dfe"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:31:30.0219975Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""okta-new"", + ""resourceGroup"": ""SENTINEL-MAINRG"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventSubmissionTimestamp"":""2021-04-28T14:31:30.0219975Z"",""resourceProviderValue"":""MICROSOFT.WEB"",""activityStatusValue"":""Start"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""eventCategory"":""Administrative"",""resourceGroup"":""SENTINEL-MAINRG"",""eventDataId"":""b925d0cb-46c9-450e-9f6d-4fbf69a34dfe"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""resource"":""okta-new"",""message"":""Microsoft.Web/sites/delete"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new""}",AdeleV@M365x816222.OnMicrosoft.com,b925d0cb-46c9-450e-9f6d-4fbf69a34dfe,"4/28/2021, 2:31:30.021 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINEL-MAINRG,MICROSOFT.WEB,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:31:30.021 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinel-mainrg/providers/microsoft.web/sites/okta-new +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,a2bba39a-d17f-404d-9919-e59039e73ad4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""action"": ""Microsoft.Web/sites/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""evidence"":{""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalType"":""User"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""role"":""Contributor""},""action"":""Microsoft.Web/sites/delete"",""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new""}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""xms_tcdt"":""1591748537"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""nbf"":""1619619948"",""exp"":""1619623848"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""puid"":""10032000C757D25F""}",,MICROSOFT.WEB/SITES/DELETE,"{ + ""statusCode"": ""OK"", + ""serviceRequestId"": ""c5b3981e-03ba-4e01-9703-1de27cb9218f"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""message"": ""Microsoft.Web/sites/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""bd53ca1f-63d8-4886-9a3e-6869172bd5f2"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:31:40.3331458Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""okta-new"", + ""resourceGroup"": ""SENTINEL-MAINRG"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""OK"" +}","{""eventSubmissionTimestamp"":""2021-04-28T14:31:40.3331458Z"",""resourceProviderValue"":""MICROSOFT.WEB"",""activityStatusValue"":""Success"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""eventCategory"":""Administrative"",""resourceGroup"":""SENTINEL-MAINRG"",""eventDataId"":""bd53ca1f-63d8-4886-9a3e-6869172bd5f2"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""activitySubstatusValue"":""OK"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""resource"":""okta-new"",""serviceRequestId"":""c5b3981e-03ba-4e01-9703-1de27cb9218f"",""message"":""Microsoft.Web/sites/delete"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"",""statusCode"":""OK""}",AdeleV@M365x816222.OnMicrosoft.com,bd53ca1f-63d8-4886-9a3e-6869172bd5f2,"4/28/2021, 2:31:40.333 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINEL-MAINRG,MICROSOFT.WEB,Success,OK,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:31:40.333 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinel-mainrg/providers/microsoft.web/sites/okta-new +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,22c5c3ad-e049-48b1-be62-19076302c6e4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""action"": ""Microsoft.SecurityInsights/alertRules/write"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""evidence"":{""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalType"":""User"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""role"":""Contributor""},""action"":""Microsoft.SecurityInsights/alertRules/write"",""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721""}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""xms_tcdt"":""1591748537"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""nbf"":""1619619948"",""exp"":""1619623848"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""puid"":""10032000C757D25F""}",,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""message"": ""Microsoft.SecurityInsights/alertRules/write"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""133ceed0-b1f0-42be-867b-a6c32858cff2"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:34:58.2130169Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""resourceGroup"": ""SENTINELYANIVSH"", + ""resourceProviderValue"": ""MICROSOFT.OPERATIONALINSIGHTS"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventSubmissionTimestamp"":""2021-04-28T14:34:58.2130169Z"",""resourceProviderValue"":""MICROSOFT.OPERATIONALINSIGHTS"",""activityStatusValue"":""Start"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""eventCategory"":""Administrative"",""resourceGroup"":""SENTINELYANIVSH"",""eventDataId"":""133ceed0-b1f0-42be-867b-a6c32858cff2"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""resource"":""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"",""message"":""Microsoft.SecurityInsights/alertRules/write"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721""}",AdeleV@M365x816222.OnMicrosoft.com,133ceed0-b1f0-42be-867b-a6c32858cff2,"4/28/2021, 2:34:58.213 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINELYANIVSH,MICROSOFT.OPERATIONALINSIGHTS,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:34:58.213 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinelyanivsh/providers/microsoft.operationalinsights/workspaces/centricdemo/providers/microsoft.securityinsights/alertrules/017c0f30-87ea-4ab0-802a-51def37b0721 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,3387cf7f-24b2-482f-9f4e-1ef7ceb08c14,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""action"": ""Microsoft.Compute/virtualMachines/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""action"":""Microsoft.Compute/virtualMachines/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""message"": ""Microsoft.Compute/virtualMachines/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""d6b94a7d-d7d3-44ac-8771-dc7a2a2048fb"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:36:53.0422877Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""linux01"", + ""resourceGroup"": ""VM-RG01"", + ""resourceProviderValue"": ""MICROSOFT.COMPUTE"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""message"":""Microsoft.Compute/virtualMachines/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""d6b94a7d-d7d3-44ac-8771-dc7a2a2048fb"",""eventSubmissionTimestamp"":""2021-04-28T14:36:53.0422877Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""linux01"",""resourceGroup"":""VM-RG01"",""resourceProviderValue"":""MICROSOFT.COMPUTE"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,d6b94a7d-d7d3-44ac-8771-dc7a2a2048fb,"4/28/2021, 2:36:53.042 PM","{""clientIpAddress"":""37.142.150.162""}",,VM-RG01,MICROSOFT.COMPUTE,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:36:53.042 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/vm-rg01/providers/microsoft.compute/virtualmachines/linux01 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,3387cf7f-24b2-482f-9f4e-1ef7ceb08c14,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""action"": ""Microsoft.Compute/virtualMachines/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""action"":""Microsoft.Compute/virtualMachines/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE,"{ + ""statusCode"": ""Accepted"", + ""serviceRequestId"": ""4b895e78-45c6-421a-a904-adb1f810bf99"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""message"": ""Microsoft.Compute/virtualMachines/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""9a0ebf0f-aa1f-4a59-b0d6-cb0f10e134ec"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:36:53.2672695Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""linux01"", + ""resourceGroup"": ""VM-RG01"", + ""resourceProviderValue"": ""MICROSOFT.COMPUTE"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Accept"", + ""activitySubstatusValue"": ""Accepted"" +}","{""statusCode"":""Accepted"",""serviceRequestId"":""4b895e78-45c6-421a-a904-adb1f810bf99"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""message"":""Microsoft.Compute/virtualMachines/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""9a0ebf0f-aa1f-4a59-b0d6-cb0f10e134ec"",""eventSubmissionTimestamp"":""2021-04-28T14:36:53.2672695Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""linux01"",""resourceGroup"":""VM-RG01"",""resourceProviderValue"":""MICROSOFT.COMPUTE"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Accept"",""activitySubstatusValue"":""Accepted""}",AdeleV@M365x816222.OnMicrosoft.com,9a0ebf0f-aa1f-4a59-b0d6-cb0f10e134ec,"4/28/2021, 2:36:53.267 PM","{""clientIpAddress"":""37.142.150.162""}",,VM-RG01,MICROSOFT.COMPUTE,Accept,Accepted,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:36:53.267 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/vm-rg01/providers/microsoft.compute/virtualmachines/linux01 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,3387cf7f-24b2-482f-9f4e-1ef7ceb08c14,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""action"": ""Microsoft.Compute/virtualMachines/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""action"":""Microsoft.Compute/virtualMachines/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""message"": ""Microsoft.Compute/virtualMachines/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""095e97d1-1189-4e03-8988-027b8484659f"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:36:57.5457406Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""linux01"", + ""resourceGroup"": ""VM-RG01"", + ""resourceProviderValue"": ""MICROSOFT.COMPUTE"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""message"":""Microsoft.Compute/virtualMachines/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""095e97d1-1189-4e03-8988-027b8484659f"",""eventSubmissionTimestamp"":""2021-04-28T14:36:57.5457406Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""linux01"",""resourceGroup"":""VM-RG01"",""resourceProviderValue"":""MICROSOFT.COMPUTE"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,095e97d1-1189-4e03-8988-027b8484659f,"4/28/2021, 2:36:57.545 PM","{""clientIpAddress"":""37.142.150.162""}",,VM-RG01,MICROSOFT.COMPUTE,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:36:57.545 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/vm-rg01/providers/microsoft.compute/virtualmachines/linux01 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/CONNECTIONS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/connections/azuresentinel-Create-ReslientIncident"", + ""message"": ""Microsoft.Web/connections/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""efcc6aed-66df-4275-af35-d193fa592064"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:00.7229035Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""azuresentinel-create-reslientincident"", + ""resourceGroup"": ""BTPOC"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/connections/azuresentinel-Create-ReslientIncident"",""message"":""Microsoft.Web/connections/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""efcc6aed-66df-4275-af35-d193fa592064"",""eventSubmissionTimestamp"":""2021-04-28T14:44:00.7229035Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""azuresentinel-create-reslientincident"",""resourceGroup"":""BTPOC"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,efcc6aed-66df-4275-af35-d193fa592064,"4/28/2021, 2:44:00.722 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:00.722 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc/providers/microsoft.web/connections/azuresentinel-create-reslientincident +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""c5f9284b-9db9-4f6a-b40c-ea217b795b2a"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:47.9541343Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""EY_DEMO"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""c5f9284b-9db9-4f6a-b40c-ea217b795b2a"",""eventSubmissionTimestamp"":""2021-04-28T14:43:47.9541343Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""EY_DEMO"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,c5f9284b-9db9-4f6a-b40c-ea217b795b2a,"4/28/2021, 2:43:47.954 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:47.954 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""statusCode"": ""Accepted"", + ""serviceRequestId"": null, + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""a16b075b-6bc3-4b66-8745-6b7a36adb050"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:48.5341324Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""EY_DEMO"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Accept"", + ""activitySubstatusValue"": ""Accepted"" +}","{""statusCode"":""Accepted"",""serviceRequestId"":null,""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""a16b075b-6bc3-4b66-8745-6b7a36adb050"",""eventSubmissionTimestamp"":""2021-04-28T14:43:48.5341324Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""EY_DEMO"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Accept"",""activitySubstatusValue"":""Accepted""}",AdeleV@M365x816222.OnMicrosoft.com,a16b075b-6bc3-4b66-8745-6b7a36adb050,"4/28/2021, 2:43:48.534 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,,Accept,Accepted,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:48.534 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""statusCode"": ""OK"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC"", + ""message"": ""Microsoft.Resources/subscriptions/resourcegroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""c7f9c8cd-350d-4e40-8f9b-fd43b5232b36"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:55.6152351Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""BTPOC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""statusCode"":""OK"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC"",""message"":""Microsoft.Resources/subscriptions/resourcegroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""c7f9c8cd-350d-4e40-8f9b-fd43b5232b36"",""eventSubmissionTimestamp"":""2021-04-28T14:44:55.6152351Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""BTPOC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,c7f9c8cd-350d-4e40-8f9b-fd43b5232b36,"4/28/2021, 2:44:55.615 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:55.615 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,6ba231ee-8a6b-4ddb-9bce-cbaa4000fc5f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""7a47678a-ccc4-4ee7-8097-7ff38462770a"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:38.1773722Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""messagetracerg77"", + ""resourceGroup"": ""RG77"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""7a47678a-ccc4-4ee7-8097-7ff38462770a"",""eventSubmissionTimestamp"":""2021-04-28T14:42:38.1773722Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""messagetracerg77"",""resourceGroup"":""RG77"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,7a47678a-ccc4-4ee7-8097-7ff38462770a,"4/28/2021, 2:42:38.177 PM","{""clientIpAddress"":""37.142.150.162""}",,RG77,MICROSOFT.KEYVAULT,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:38.177 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/rg77/providers/microsoft.keyvault/vaults/messagetracerg77 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,6ba231ee-8a6b-4ddb-9bce-cbaa4000fc5f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""statusCode"": ""OK"", + ""serviceRequestId"": ""b51752c4-842f-4ff2-b73a-c0c40ef626e5"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""58af7909-cccb-4c7c-bb13-e37cdea744aa"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:44.7701036Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""messagetracerg77"", + ""resourceGroup"": ""RG77"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""OK"" +}","{""statusCode"":""OK"",""serviceRequestId"":""b51752c4-842f-4ff2-b73a-c0c40ef626e5"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""58af7909-cccb-4c7c-bb13-e37cdea744aa"",""eventSubmissionTimestamp"":""2021-04-28T14:42:44.7701036Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""messagetracerg77"",""resourceGroup"":""RG77"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success"",""activitySubstatusValue"":""OK""}",AdeleV@M365x816222.OnMicrosoft.com,58af7909-cccb-4c7c-bb13-e37cdea744aa,"4/28/2021, 2:42:44.770 PM","{""clientIpAddress"":""37.142.150.162""}",,RG77,MICROSOFT.KEYVAULT,Success,OK,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:44.770 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/rg77/providers/microsoft.keyvault/vaults/messagetracerg77 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,b62b273a-d336-4ead-b1ac-223f3220e772,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""994afaf9-56c9-4492-a8ef-2690c4d1294b"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:25.2241883Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""oneloginlogs1234"", + ""resourceGroup"": ""GBB01"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""994afaf9-56c9-4492-a8ef-2690c4d1294b"",""eventSubmissionTimestamp"":""2021-04-28T14:43:25.2241883Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""oneloginlogs1234"",""resourceGroup"":""GBB01"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,994afaf9-56c9-4492-a8ef-2690c4d1294b,"4/28/2021, 2:43:25.224 PM","{""clientIpAddress"":""37.142.150.162""}",,GBB01,MICROSOFT.KEYVAULT,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:25.224 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/gbb01/providers/microsoft.keyvault/vaults/oneloginlogs1234 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.LOGIC/WORKFLOWS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Logic/workflows/Sentinel-Ingest-AAD-SignInLog"", + ""message"": ""Microsoft.Logic/workflows/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""7213d612-94b6-4ddb-856f-bb723409f48c"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:22.9477862Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""sentinel-ingest-aad-signinlog"", + ""resourceGroup"": ""EY_DEMO"", + ""resourceProviderValue"": ""MICROSOFT.LOGIC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Logic/workflows/Sentinel-Ingest-AAD-SignInLog"",""message"":""Microsoft.Logic/workflows/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""7213d612-94b6-4ddb-856f-bb723409f48c"",""eventSubmissionTimestamp"":""2021-04-28T14:44:22.9477862Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""sentinel-ingest-aad-signinlog"",""resourceGroup"":""EY_DEMO"",""resourceProviderValue"":""MICROSOFT.LOGIC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,7213d612-94b6-4ddb-856f-bb723409f48c,"4/28/2021, 2:44:22.947 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,MICROSOFT.LOGIC,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:22.947 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo/providers/microsoft.logic/workflows/sentinel-ingest-aad-signinlog +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/CONNECTIONS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Web/connections/azureloganalyticsdatacollector"", + ""message"": ""Microsoft.Web/connections/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""4af29ade-c9eb-418b-b5f5-54d0ac892c7f"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:22.2177653Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""azureloganalyticsdatacollector"", + ""resourceGroup"": ""EY_DEMO"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Web/connections/azureloganalyticsdatacollector"",""message"":""Microsoft.Web/connections/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""4af29ade-c9eb-418b-b5f5-54d0ac892c7f"",""eventSubmissionTimestamp"":""2021-04-28T14:44:22.2177653Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""azureloganalyticsdatacollector"",""resourceGroup"":""EY_DEMO"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,4af29ade-c9eb-418b-b5f5-54d0ac892c7f,"4/28/2021, 2:44:22.217 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:22.217 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo/providers/microsoft.web/connections/azureloganalyticsdatacollector +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,6ba231ee-8a6b-4ddb-9bce-cbaa4000fc5f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""0d0db332-83b8-4a90-9be5-47685712c9cf"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:20.660355Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""messagetracerg77"", + ""resourceGroup"": ""RG77"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""0d0db332-83b8-4a90-9be5-47685712c9cf"",""eventSubmissionTimestamp"":""2021-04-28T14:43:20.6603550Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""messagetracerg77"",""resourceGroup"":""RG77"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,0d0db332-83b8-4a90-9be5-47685712c9cf,"4/28/2021, 2:43:20.660 PM","{""clientIpAddress"":""37.142.150.162""}",,RG77,MICROSOFT.KEYVAULT,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:20.660 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/rg77/providers/microsoft.keyvault/vaults/messagetracerg77 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""6bad33c9-7732-47b4-b6ce-ed842811213c"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:19.9929621Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""BTPOC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""6bad33c9-7732-47b4-b6ce-ed842811213c"",""eventSubmissionTimestamp"":""2021-04-28T14:43:19.9929621Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""BTPOC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,6bad33c9-7732-47b4-b6ce-ed842811213c,"4/28/2021, 2:43:19.992 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:19.992 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""statusCode"": ""Accepted"", + ""serviceRequestId"": null, + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""e6092106-d8c4-4a36-87d4-356f9b6b701d"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:23.1230263Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""BTPOC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Accept"", + ""activitySubstatusValue"": ""Accepted"" +}","{""statusCode"":""Accepted"",""serviceRequestId"":null,""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""e6092106-d8c4-4a36-87d4-356f9b6b701d"",""eventSubmissionTimestamp"":""2021-04-28T14:43:23.1230263Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""BTPOC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Accept"",""activitySubstatusValue"":""Accepted""}",AdeleV@M365x816222.OnMicrosoft.com,e6092106-d8c4-4a36-87d4-356f9b6b701d,"4/28/2021, 2:43:23.123 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,,Accept,Accepted,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:23.123 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc diff --git a/src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv b/src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv new file mode 100644 index 000000000000..af1bda393f48 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv @@ -0,0 +1,2 @@ +Timestamp,Policy Identity,Identities/0,InternalIp,ExternalIp,Action,QueryType,ResponseCode,Domain,Categories/0,Categories/1,Categories/2,Policy Identity Type,Identity Types/0,Blocked Categories,EventType +2019-09-12T20:00:00.625Z,HOSTNAME,HOSTNAME, 17.81.146.1,15.230.137.45,Allowed,1 (A),NOERROR,avsvmcloud.com,Software/Technology,Business Services,Infrastructure,,Anyconnect Roaming Client,,dnslogs diff --git a/src/SecurityInsights/test/sampleData/CommonSecurityLog.csv b/src/SecurityInsights/test/sampleData/CommonSecurityLog.csv new file mode 100644 index 000000000000..a7d3f5e3d5d8 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/CommonSecurityLog.csv @@ -0,0 +1,2 @@ +TenantId,SourceSystem,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort_string,RemotePort_int,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime [UTC],EndTime,Type,_ResourceId +8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,,Vectra Networks,X Series,hidden_https_tunnel_cnc,2.2,,,,,,,443,15.230.137.45,192.168.52.37,ClientPc.contoso.com,type1,tcp,,17.81.146.1,,,,,,,,,,,,,6.6,Hidden HTTPS Tunnel,,,,,,,,,,,,,,,07605jn8l36uranbtvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com,,,,,,,,,,,54,,,,,,,,,,56296,,,,,,,,,,1748,,,,,,IP-10.10.1.130,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://x29-1-37.sc.tvec/detections/54?detail_id\=322,Vectra Event URL,FALSE,triaged,,,,,,,,,22,threat,64,certainty,,,,,cat=COMMAND & CONTROL;start=1617770662000;end=1617772463000,,,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/microsoft.compute/virtualmachines/soc-fw-cef diff --git a/src/SecurityInsights/test/sampleData/OfficeActivity.csv b/src/SecurityInsights/test/sampleData/OfficeActivity.csv new file mode 100644 index 000000000000..58d4a21391f2 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/OfficeActivity.csv @@ -0,0 +1,583 @@ +TenantId,Application,UserDomain,ApplicationId,UserAgent,RecordType,TimeGenerated [UTC],Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,MachineId,Site_Url,Site_Url_,SourceRelativeUrl,SourceRelativeUrl_,SourceFileName,SourceFileName_,SourceFileExtension,DestinationRelativeUrl,DestinationFileName,DestinationFileExtension,UserSharedWith,SharingType,CustomEvent,Event_Data,ModifiedObjectResolvedName,Parameters,ExternalAccess,OriginatingServer,OrganizationName,Logon_Type,InternalLogonType,MailboxGuid,MailboxOwnerUPN,MailboxOwnerSid,MailboxOwnerMasterAccountSid,LogonUserSid,LogonUserDisplayName,ClientInfoString,Client_IPAddress,ClientMachineName,ClientProcessName,ClientVersion,Folder,CrossMailboxOperations,DestMailboxId,DestMailboxOwnerUPN,DestMailboxOwnerSid,DestMailboxOwnerMasterAccountSid,DestFolder,Folders,AffectedItems,Item,ModifiedProperties,SendAsUserSmtp,SendAsUserMailboxGuid,SendOnBehalfOfUserSmtp,SendonBehalfOfUserMailboxGuid,ExtendedProperties,Client,LoginStatus,Actor,ActorContextId,ActorIpAddress,InterSystemsId,IntraSystemId,SupportTicketId,TargetContextId,DataCenterSecurityEventType,EffectiveOrganization,ElevationTime [UTC],ElevationApprover,ElevationApprovedTime [UTC],ElevationRequestId,ElevationRole,ElevationDuration,GenericInfo,SourceSystem,OfficeId,SourceRecordId,AzureActiveDirectory_EventType,AADTarget,Start_Time [UTC],OfficeTenantId,OfficeTenantId_,TargetUserOrGroupName,TargetUserOrGroupType,MessageId,Members,TeamName,TeamGuid,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ExchangeAdmin,New-InboxRule,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,10032000C757D25F,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/AdeleV\rule2,AdeleV@contoso.OnMicrosoft.com,AdeleV@contoso.OnMicrosoft.com,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:36185,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:36185,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""AlwaysDeleteOutlookRulesBlob"", + ""Value"": ""False"" + }, + { + ""Name"": ""Force"", + ""Value"": ""False"" + }, + { + ""Name"": ""MoveToFolder"", + ""Value"": ""Junk Email"" + }, + { + ""Name"": ""Name"", + ""Value"": ""rule2"" + }, + { + ""Name"": ""SubjectContainsWords"", + ""Value"": ""do not open"" + }, + { + ""Name"": ""StopProcessingRules"", + ""Value"": ""True"" + } +]",FALSE,MWHPR06MB3440 (15.20.4065.026),contoso.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/26/2021, 7:17:10.000 AM",,,,,,,OfficeActivityManager,d28096ba-03b1-4c2a-1503-08d908826606,d28096ba-03b1-4c2a-1503-08d908826606,,,"4/26/2021, 7:17:10.000 AM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity,, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ExchangeAdmin,New-InboxRule,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,10032000C757D25F,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/AdeleV\my_rule1,AdeleV@contoso.OnMicrosoft.com,AdeleV@contoso.OnMicrosoft.com,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:45955,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:45955,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""AlwaysDeleteOutlookRulesBlob"", + ""Value"": ""False"" + }, + { + ""Name"": ""Force"", + ""Value"": ""False"" + }, + { + ""Name"": ""Name"", + ""Value"": ""my_rule1"" + }, + { + ""Name"": ""BodyContainsWords"", + ""Value"": ""covid-19"" + }, + { + ""Name"": ""DeleteMessage"", + ""Value"": ""True"" + }, + { + ""Name"": ""StopProcessingRules"", + ""Value"": ""True"" + } +]",FALSE,MWHPR06MB3440 (15.20.4065.026),contoso.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/26/2021, 6:37:32.000 AM",,,,,,,OfficeActivityManager,d2d1b1e1-4327-4c24-b9eb-08d9087c624c,d2d1b1e1-4327-4c24-b9eb-08d9087c624c,,,"4/26/2021, 6:37:32.000 AM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity,, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 3:05:26.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 3:13:17.000 PM",,,,,,,OfficeActivityManager,84365963-570a-4424-38da-08d90a570e02,84365963-570a-4424-38da-08d90a570e02,,,"4/28/2021, 3:13:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 3:05:24.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 3:13:17.000 PM",,,,,,,OfficeActivityManager,38d99a5f-e6d7-4786-59cd-08d90a570cc0,38d99a5f-e6d7-4786-59cd-08d90a570cc0,,,"4/28/2021, 3:13:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,50,"4/28/2021, 2:54:37.000 PM",MailItemsAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,Client=REST;Client=RESTSystem;;,2603:10b6:5:345::11,,,,,,,,,,,"[ + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEJAAAB"", + ""Path"": ""\\Sent Items"" + } +]",,,,,,,,,,,,,,,,,,,,"4/28/2021, 3:01:57.000 PM",,,,,,,OfficeActivityManager,2ad854c0-d9c3-43b5-95d8-826aea0d10ca,2ad854c0-d9c3-43b5-95d8-826aea0d10ca,,,"4/28/2021, 3:01:57.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""Value"":""Bind"",""Name"":""MailAccessType""},{""Value"":""False"",""Name"":""IsThrottled""}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficePods,SharePointFileOperation,"4/28/2021, 2:50:22.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.232.229.242,52.232.229.242,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:58:17.000 PM",,,,,,,OfficeActivityManager,fa28f91d-86c4-40a8-f621-08d90a54f336,fa28f91d-86c4-40a8-f621-08d90a54f336,,,"4/28/2021, 2:58:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:50:14.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/office_activity_inbox_rule.csv,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,office_activity_inbox_rule.csv,office_activity_inbox_rule.csv,csv,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:58:17.000 PM",,,,,,,OfficeActivityManager,5fa8e714-cec1-4673-1ba3-08d90a54eebb,5fa8e714-cec1-4673-1ba3-08d90a54eebb,,,"4/28/2021, 2:58:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:45:26.000 PM",FileDeleted,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Timesheet_AdeleV.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,Timesheet_AdeleV.xlsx,Timesheet_AdeleV.xlsx,xlsx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,56dab345-b820-4018-489b-08d90a5442ac,56dab345-b820-4018-489b-08d90a5442ac,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ComplianceDLPSharePoint,"4/28/2021, 2:44:51.000 PM",DLPRuleUndo,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,System,DlpPolicyEventBasedAssistantOneDriveForBusiness,OneDrive,,,c15e9245-9033-4eb7-9e2a-9c277fdfa8cd,DlpPolicyEventBasedAssistantOneDriveForBusiness,DlpPolicyEventBasedAssistantOneDriveForBusiness,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,9b7c3de9-b51a-4a38-9704-2eed1debdb05,9b7c3de9-b51a-4a38-9704-2eed1debdb05,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ComplianceDLPSharePoint,"4/28/2021, 2:44:51.000 PM",DLPRuleUndo,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,System,DlpPolicyEventBasedAssistantOneDriveForBusiness,OneDrive,,,c15e9245-9033-4eb7-9e2a-9c277fdfa8cd,DlpPolicyEventBasedAssistantOneDriveForBusiness,DlpPolicyEventBasedAssistantOneDriveForBusiness,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,49d454d7-eb96-4969-b444-3c6f0f71fc02,49d454d7-eb96-4969-b444-3c6f0f71fc02,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:24.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Forms/All.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents/Forms,Documents/Forms,All.aspx,All.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,a2cffea7-7da5-4407-a864-08d90a541e05,a2cffea7-7da5-4407-a864-08d90a541e05,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:24.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/_layouts/15/OfficeExtensionManager.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,3648c7b9-e69b-447d-55ec-08d90a541e09,3648c7b9-e69b-447d-55ec-08d90a541e09,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:44:22.000 PM",Send,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,40.69.136.121,40.69.136.121,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,Client=REST;;,40.69.136.121,,,,,,,,,,,,,"{ + ""Attachments"": ""AttachedImage (3165b); AttachedImage (1665b); AttachedImage (2603b); AttachedImage (5423b); AttachedImage (3675b)"", + ""Id"": ""Unknown"", + ""InternetMessageId"": """", + ""Subject"": ""Adele Vance shared \""Contoso Purchasing Data - Q1\"" with you."" +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:51:59.000 PM",,,,,,,OfficeActivityManager,1cbba653-5d7b-44a0-1e31-08d90a541cfb,1cbba653-5d7b-44a0-1e31-08d90a541cfb,,,"4/28/2021, 2:51:59.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,3138fe80-4087-4b04-80a6-8866c738028a,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:20.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.232.229.242,52.232.229.242,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ca575319-064c-47e7-57b7-08d90a541b50,ca575319-064c-47e7-57b7-08d90a541b50,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:19.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.232.229.242,52.232.229.242,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,fb9fed54-1565-49ca-b006-08d90a541b0f,fb9fed54-1565-49ca-b006-08d90a541b0f,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:19.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.226.109.30,52.226.109.30,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,f365ee81-1b32-4248-4d2e-08d90a541ad1,f365ee81-1b32-4248-4d2e-08d90a541ad1,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:19.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.226.109.30,52.226.109.30,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,d07894e6-b3f1-44e0-22a4-08d90a541ad7,d07894e6-b3f1-44e0-22a4-08d90a541ad7,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:18.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,a763ee1b-ae57-4b54-5679-08d90a541a77,a763ee1b-ae57-4b54-5679-08d90a541a77,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,,,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,533f4a65-dc0f-49e1-2038-08d90a541912,533f4a65-dc0f-49e1-2038-08d90a541912,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,,,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For Web 91712858-b19e-4aa3-9678-0bff2599b6b7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,7a9151c0-fd8a-4507-840f-08d90a541914,7a9151c0-fd8a-4507-840f-08d90a541914,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AnonymousLinkCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,EditFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,51bc597a-c8cf-41d1-ac7f-08d90a5418fc,51bc597a-c8cf-41d1-ac7f-08d90a5418fc,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,SharingLinks.c15e9245-9033-4eb7-9e2a-9c277fdfa8cd.AnonymousEdit.b7617884-851c-4d88-94fe-a5b9c5dde90c,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,774a0589-09b6-43d3-be05-08d90a54190f,774a0589-09b6-43d3-be05-08d90a54190f,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:15.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""SharingLinks.c15e9245-9033-4eb7-9e2a-9c277fdfa8cd.AnonymousEdit.b7617884-851c-4d88-94fe-a5b9c5dde90c"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,8d035a8d-f330-4785-1738-08d90a541845,8d035a8d-f330-4785-1738-08d90a541845,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,System.LimitedEditFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,cd723b64-5a01-48fd-ef7f-08d90a54185c,cd723b64-5a01-48fd-ef7f-08d90a54185c,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,d932bf970e2864062aa6dc2207522f615d0910004eec23187293fa28d27de578,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,TrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,72385cdd-5a9b-4f9e-c727-08d90a541855,72385cdd-5a9b-4f9e-c727-08d90a541855,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,016bd739-4bb2-4a66-d963-08d90a541868,016bd739-4bb2-4a66-d963-08d90a541868,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,d932bf970e2864062aa6dc2207522f615d0910004eec23187293fa28d27de578,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:15.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For Web 91712858-b19e-4aa3-9678-0bff2599b6b7"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e11154e0-9398-462b-9e54-08d90a54186d,e11154e0-9398-462b-9e54-08d90a54186d,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:15.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,5fa59cbf-4fca-4f67-7708-08d90a541866,5fa59cbf-4fca-4f67-7708-08d90a541866,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For Web 91712858-b19e-4aa3-9678-0bff2599b6b7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e96e77a7-7eb7-4b89-00c8-08d90a541870,e96e77a7-7eb7-4b89-00c8-08d90a541870,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,d932bf970e2864062aa6dc2207522f615d0910004eec23187293fa28d27de578,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,ContributeFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,de5c60c3-0c85-41c1-4f8c-08d90a54187e,de5c60c3-0c85-41c1-4f8c-08d90a54187e,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,SharingLinks.c15e9245-9033-4eb7-9e2a-9c277fdfa8cd.AnonymousEdit.b7617884-851c-4d88-94fe-a5b9c5dde90c,SharePointGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,Limited AccessFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,50fed770-a196-455b-277c-08d90a541877,50fed770-a196-455b-277c-08d90a541877,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62,SharePointGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com//personal/adelev_m365x816222_onmicrosoft_com/Sharing Links,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,List,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Sharing Links,Sharing Links,,,,,,,,,,FalseFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,3d461d97-1c52-41b7-85b4-08d90a5418d6,3d461d97-1c52-41b7-85b4-08d90a5418d6,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:11.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ebc3a15d-7af9-43d7-d4b8-08d90a54161c,ebc3a15d-7af9-43d7-d4b8-08d90a54161c,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:07.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,,,,,,,,,,,,,,"Restricted ViewViewListItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, ViewItemsRequiresOpen",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,277c2f29-b918-4d70-8da0-08d90a54139c,277c2f29-b918-4d70-8da0-08d90a54139c,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:07.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedViewViewListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ff8a20e8-4509-4332-c917-08d90a541397,ff8a20e8-4509-4332-c917-08d90a541397,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:07.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedEditViewListItems, AddListItems, EditListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,a275cf54-d8f7-4dce-2b5c-08d90a54139a,a275cf54-d8f7-4dce-2b5c-08d90a54139a,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:06.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/_layouts/15/sharedialog.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,d7f3dec2-ece8-4b3b-413d-08d90a541304,d7f3dec2-ece8-4b3b-413d-08d90a541304,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,dc1d317c-fde8-49ec-fa8a-08d90a541253,dc1d317c-fde8-49ec-fa8a-08d90a541253,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,17211a9a-6f1d-4384-6305-08d90a54125e,17211a9a-6f1d-4384-6305-08d90a54125e,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,63e418f2-408b-45c9-750b-08d90a541265,63e418f2-408b-45c9-750b-08d90a541265,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,1ec86e06-b3d3-432a-e9ce-08d90a54125d,1ec86e06-b3d3-432a-e9ce-08d90a54125d,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,8c2300d9-72bc-49ca-ed9e-08d90a5412c3,8c2300d9-72bc-49ca-ed9e-08d90a5412c3,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ebbe74eb-4e9e-44a2-8691-08d90a541255,ebbe74eb-4e9e-44a2-8691-08d90a541255,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/salesandmarketing/siteassets/salesandmarketing.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,siteassets,siteassets,salesandmarketing.png,salesandmarketing.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ae41ad25-b50d-4b39-946c-08d90a54128f,ae41ad25-b50d-4b39-946c-08d90a54128f,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,abf8d286-f125-400a-434c-08d90a541223,abf8d286-f125-400a-434c-08d90a541223,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,730efc8c-1424-499c-a8bf-08d90a5411c8,730efc8c-1424-499c-a8bf-08d90a5411c8,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e9742edd-302c-45fc-62b9-08d90a5411cf,e9742edd-302c-45fc-62b9-08d90a5411cf,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,68423f49-0574-4d5c-525e-08d90a5411dc,68423f49-0574-4d5c-525e-08d90a5411dc,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,0f67a031-f4a7-4633-c5cc-08d90a541210,0f67a031-f4a7-4633-c5cc-08d90a541210,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:03.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/hr/siteassets/hr.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,siteassets,siteassets,hr.png,hr.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,977a227c-6321-4420-f5c2-08d90a5411ad,977a227c-6321-4420-f5c2-08d90a5411ad,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:03.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/siteassets/operations.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,../Operations/siteassets,../Operations/siteassets,operations.jpg,operations.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,930fe169-3168-4a86-2acc-08d90a5411a1,930fe169-3168-4a86-2acc-08d90a5411a1,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:03.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e1ca2031-efca-4b37-ca62-08d90a541174,e1ca2031-efca-4b37-ca62-08d90a541174,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:02.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,eedd7ec5-3367-4c4e-8421-08d90a5410f1,eedd7ec5-3367-4c4e-8421-08d90a5410f1,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:01.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/_layouts/15/onedrive.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,c3b6a4ad-c245-4161-139a-08d90a541026,c3b6a4ad-c245-4161-139a-08d90a541026,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:38:20.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/b887b6b2-4dcf-34fc-98b1-d5a42c605755,app@sharepoint,app@sharepoint,40.77.66.240,40.77.66.240,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,0d31156c-d0f2-4cf0-d8dc-08d90a534509,0d31156c-d0f2-4cf0-d8dc-08d90a534509,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,36,"4/28/2021, 2:38:20.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c,app@sharepoint,app@sharepoint,40.77.66.240,40.77.66.240,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,189e8ae5-b55f-4467-9da2-08d90a53450e,189e8ae5-b55f-4467-9da2-08d90a53450e,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:38:20.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/617f8947-74b2-36bc-9f7e-21ded7029bb5,app@sharepoint,app@sharepoint,40.77.66.240,40.77.66.240,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,19a0527b-8b90-4a02-762b-08d90a534507,19a0527b-8b90-4a02-762b-08d90a534507,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficeWordWRS,SharePointFileOperation,"4/28/2021, 2:36:07.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,104.146.232.173,104.146.232.173,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,af10cbdb-ce72-439b-8cf1-08d90a52f5a5,af10cbdb-ce72-439b-8cf1-08d90a52f5a5,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:36:06.000 PM",FileDownloaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.184.242.64,52.184.242.64,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,61dc5a79-7d18-4abf-3ead-08d90a52f4d4,61dc5a79-7d18-4abf-3ead-08d90a52f4d4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:36:05.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,7e92f739-fcc3-4a9c-969a-08d90a52f48e,7e92f739-fcc3-4a9c-969a-08d90a52f48e,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:36:04.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.108.79.45,52.108.79.45,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,7f562b2f-5160-4a93-bebb-08d90a52f3c7,7f562b2f-5160-4a93-bebb-08d90a52f3c7,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:36:03.000 PM",FileModifiedExtended,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.108.79.45,52.108.79.45,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,78827ca2-7cb2-4203-9c44-19364e7fdafc,78827ca2-7cb2-4203-9c44-19364e7fdafc,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:56.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/OfficeExtensionManager.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0a3d02a4-3267-44ce-b358-08d90a52eedc,0a3d02a4-3267-44ce-b358-08d90a52eedc,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:35:51.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,104.45.184.177,104.45.184.177,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,41e78588-bebf-4d18-27d0-08d90a52ec34,41e78588-bebf-4d18-27d0-08d90a52ec34,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:49.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,83374c4f-eaa0-459a-01ef-08d90a52eb02,83374c4f-eaa0-459a-01ef-08d90a52eb02,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:49.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,284a81e3-e8ed-426f-ce9b-08d90a52eae2,284a81e3-e8ed-426f-ce9b-08d90a52eae2,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:47.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,74b7686d-8585-4ad1-c2a0-08d90a52e9a2,74b7686d-8585-4ad1-c2a0-08d90a52e9a2,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:47.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,f4171818-c9eb-4b31-9bfe-08d90a52e99b,f4171818-c9eb-4b31-9bfe-08d90a52e99b,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:47.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,41c1aff3-41f6-4122-382a-08d90a52e9b8,41c1aff3-41f6-4122-382a-08d90a52e9b8,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:45.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,c1de6dfb-867c-46d5-1876-08d90a52e85f,c1de6dfb-867c-46d5-1876-08d90a52e85f,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:44.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Forms/AllItems.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,97c7e8a7-84a4-4980-ef0b-08d90a52e837,97c7e8a7-84a4-4980-ef0b-08d90a52e837,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:44.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/_layouts/15/listhost.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9ec5c14c-a43f-441c-c670-08d90a52e7fa,9ec5c14c-a43f-441c-c670-08d90a52e7fa,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:36.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Annotated Litware Contract.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Annotated Litware Contract.docx,Annotated Litware Contract.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,35f1379d-1ffb-4acf-488c-08d90a52e2f1,35f1379d-1ffb-4acf-488c-08d90a52e2f1,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:36.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/Piggy-Bank.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,Piggy-Bank.jpg,Piggy-Bank.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ec005006-0eac-46ce-7176-08d90a52e2f4,ec005006-0eac-46ce-7176-08d90a52e2f4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:36.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Computer Systems Information.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Computer Systems Information.pptx,Computer Systems Information.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,df8ba47d-8d80-4d6c-0ca9-08d90a52e300,df8ba47d-8d80-4d6c-0ca9-08d90a52e300,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/HardwareUpdates.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,HardwareUpdates.jpg,HardwareUpdates.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,45f2f319-0c9b-4a8b-1b44-08d90a52e2a4,45f2f319-0c9b-4a8b-1b44-08d90a52e2a4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Denver Legislative Codes.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Denver Legislative Codes.docx,Denver Legislative Codes.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,13250b83-2fe3-4342-30be-08d90a52e2c6,13250b83-2fe3-4342-30be-08d90a52e2c6,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/MeganB_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,MeganB_M365x816222_OnMicrosoft_com_SThumb.jpg,MeganB_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,de265f0c-c147-4b38-b222-08d90a52e2b7,de265f0c-c147-4b38-b222-08d90a52e2b7,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,d3752358-8b59-4d44-23d7-08d90a52e2ab,d3752358-8b59-4d44-23d7-08d90a52e2ab,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/HR.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,HR.png,HR.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0656d2ff-17d7-451a-1deb-08d90a52e264,0656d2ff-17d7-451a-1deb-08d90a52e264,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/legal.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,legal.jpg,legal.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,bf79bd1b-aee6-4923-cc92-08d90a52e26d,bf79bd1b-aee6-4923-cc92-08d90a52e26d,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/SurfaceDevices.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,SurfaceDevices.png,SurfaceDevices.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,7b819fde-84f0-4878-0d2c-08d90a52e2dd,7b819fde-84f0-4878-0d2c-08d90a52e2dd,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/downtown-denver.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,downtown-denver.jpg,downtown-denver.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,73769e6b-6a5d-4c39-fc34-08d90a52e2ca,73769e6b-6a5d-4c39-fc34-08d90a52e2ca,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:34.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/finance.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,finance.jpg,finance.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,e35ebb4b-bbf4-447b-9fd5-08d90a52e24c,e35ebb4b-bbf4-447b-9fd5-08d90a52e24c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:34.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/productsupport.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,productsupport.jpg,productsupport.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,523297d1-0bcf-4628-d7a7-08d90a52e24c,523297d1-0bcf-4628-d7a7-08d90a52e24c,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PradeepG_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PradeepG_M365x816222_OnMicrosoft_com_LThumb.jpg,PradeepG_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,8b9543e3-3101-4a7f-bf17-08d90a52e19d,8b9543e3-3101-4a7f-bf17-08d90a52e19d,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AllanD_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AllanD_M365x816222_OnMicrosoft_com_LThumb.jpg,AllanD_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,85d68a60-a017-4a9e-1658-08d90a52e15b,85d68a60-a017-4a9e-1658-08d90a52e15b,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/SurfaceDevices.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,SurfaceDevices.png,SurfaceDevices.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,47ba6784-9fe9-4704-35bd-08d90a52e197,47ba6784-9fe9-4704-35bd-08d90a52e197,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/HardwareUpdates.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,HardwareUpdates.jpg,HardwareUpdates.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,2b3289b2-3368-401a-a8bf-08d90a52e1a6,2b3289b2-3368-401a-a8bf-08d90a52e1a6,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/User-NestorW.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,User-NestorW.jpg,User-NestorW.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,f7e79b8b-20dd-4c70-8aec-08d90a52e139,f7e79b8b-20dd-4c70-8aec-08d90a52e139,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/JoniS_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,JoniS_M365x816222_OnMicrosoft_com_LThumb.jpg,JoniS_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,be7f9269-95ad-4713-41a7-08d90a52e1a8,be7f9269-95ad-4713-41a7-08d90a52e1a8,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/Expense-Notes.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,Expense-Notes.jpg,Expense-Notes.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,8449887f-5944-47c0-9798-08d90a52e199,8449887f-5944-47c0-9798-08d90a52e199,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/User-AllanD.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,User-AllanD.jpg,User-AllanD.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,328dcb24-45a2-4dc9-821a-08d90a52e16e,328dcb24-45a2-4dc9-821a-08d90a52e16e,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/Piggy-Bank.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,Piggy-Bank.jpg,Piggy-Bank.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,67b6d5f8-09d9-4d96-35b2-08d90a52e182,67b6d5f8-09d9-4d96-35b2-08d90a52e182,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AlexW_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AlexW_M365x816222_OnMicrosoft_com_LThumb.jpg,AlexW_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,1f4e50d7-65d7-4efc-cf61-08d90a52e19c,1f4e50d7-65d7-4efc-cf61-08d90a52e19c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:31.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9c2f87a8-9ff9-45cf-a7e2-08d90a52e010,9c2f87a8-9ff9-45cf-a7e2-08d90a52e010,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:31.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/_catalogs/theme/Themed/6D9736C8/theme.spcolor,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,_catalogs/theme/Themed/6D9736C8,_catalogs/theme/Themed/6D9736C8,theme.spcolor,theme.spcolor,spcolor,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,c2b25706-d1fb-4414-f6e5-08d90a52e018,c2b25706-d1fb-4414-f6e5-08d90a52e018,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:31.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ec75c2be-72d3-424f-dfd0-08d90a52e082,ec75c2be-72d3-424f-dfd0-08d90a52e082,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:30.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0ba8ab86-1251-4db9-fb87-08d90a52dfd6,0ba8ab86-1251-4db9-fb87-08d90a52dfd6,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/NestorW_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,NestorW_M365x816222_OnMicrosoft_com_LThumb.jpg,NestorW_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,09b997ed-414f-40c8-414c-08d90a52dd34,09b997ed-414f-40c8-414c-08d90a52dd34,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PattiF_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PattiF_M365x816222_OnMicrosoft_com_LThumb.jpg,PattiF_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,91c8fcd4-6226-4219-1124-08d90a52dd61,91c8fcd4-6226-4219-1124-08d90a52dd61,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/adelev_m365x816222_onmicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,adelev_m365x816222_onmicrosoft_com_LThumb.jpg,adelev_m365x816222_onmicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,343cc3be-e70f-407f-0226-08d90a52dd33,343cc3be-e70f-407f-0226-08d90a52dd33,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/DiegoS_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,DiegoS_M365x816222_OnMicrosoft_com_LThumb.jpg,DiegoS_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,6390286e-9a3d-4f19-98ee-08d90a52dd1c,6390286e-9a3d-4f19-98ee-08d90a52dd1c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/SiteAssets/How-to-design.jpeg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,SiteAssets,SiteAssets,How-to-design.jpeg,How-to-design.jpeg,jpeg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,982e3ca7-b7ae-4bf4-b4db-08d90a52dcdd,982e3ca7-b7ae-4bf4-b4db-08d90a52dcdd,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/SiteAssets/getpreview.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,SiteAssets,SiteAssets,getpreview.jpg,getpreview.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,9c892b91-23be-4f73-c8a9-08d90a52dce7,9c892b91-23be-4f73-c8a9-08d90a52dce7,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:24.000 PM",FileVersionsAllDeleted,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,S-1-0-0,SharePoint,,,https://m365x816222.sharepoint.com/sites/Work/_catalogs/hubsite/a8529422-33db-4250-bece-f955b0d46788-1033.json,SHAREPOINT\system,SHAREPOINT\system,175.45.176.99,175.45.176.99,,a8529422-33db-4250-bece-f955b0d46788,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Work/,https://m365x816222.sharepoint.com/sites/Work/,_catalogs/hubsite,_catalogs/hubsite,a8529422-33db-4250-bece-f955b0d46788-1033.json,a8529422-33db-4250-bece-f955b0d46788-1033.json,json,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,fd359f60-40ca-41d0-2003-08d90a52dc1b,fd359f60-40ca-41d0-2003-08d90a52dc1b,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:24.000 PM",FileVersionsAllDeleted,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,S-1-0-0,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/_catalogs/hubsite/a8529422-33db-4250-bece-f955b0d46788-1033.json,SHAREPOINT\system,SHAREPOINT\system,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,_catalogs/hubsite,_catalogs/hubsite,a8529422-33db-4250-bece-f955b0d46788-1033.json,a8529422-33db-4250-bece-f955b0d46788-1033.json,json,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,1bd13ef0-061e-4e9f-0910-08d90a52dc46,1bd13ef0-061e-4e9f-0910-08d90a52dc46,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:24.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/_catalogs/theme/Themed/6D9736C8/theme.spcolor,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,_catalogs/theme/Themed/6D9736C8,_catalogs/theme/Themed/6D9736C8,theme.spcolor,theme.spcolor,spcolor,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,088a9411-c18d-426d-f540-08d90a52dbc1,088a9411-c18d-426d-f540-08d90a52dbc1,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:24.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,f5d0b284-bebb-4b22-267a-08d90a52dbf1,f5d0b284-bebb-4b22-267a-08d90a52dbf1,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:23.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,d8c31616-acab-460b-ea64-08d90a52db94,d8c31616-acab-460b-ea64-08d90a52db94,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:23.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,6ec7f303-36bd-460c-80c9-08d90a52dbb2,6ec7f303-36bd-460c-80c9-08d90a52dbb2,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:22.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/admin_m365x816222_onmicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,admin_m365x816222_onmicrosoft_com_SThumb.jpg,admin_m365x816222_onmicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,22827908-7ec4-47ca-31f6-08d90a52db1e,22827908-7ec4-47ca-31f6-08d90a52db1e,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:22.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9aa6dc01-2536-4908-997d-08d90a52da92,9aa6dc01-2536-4908-997d-08d90a52da92,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:21.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Retail,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,df982fae-217f-4cc3-9599-4516027e6db3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,47a86431-56e6-4194-a440-08d90a52da5f,47a86431-56e6-4194-a440-08d90a52da5f,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:20.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Meeting.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Meeting.jpg,Meeting.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,60e0ede9-a9ec-4149-0080-08d90a52d9d3,60e0ede9-a9ec-4149-0080-08d90a52d9d3,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:20.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/breather.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,breather.jpg,breather.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9f07a0c3-163b-44e0-3dd8-08d90a52d9c3,9f07a0c3-163b-44e0-3dd8-08d90a52d9c3,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:20.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/SiteAssets/NewVPN.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,SiteAssets,SiteAssets,NewVPN.jpg,NewVPN.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,c7132cbe-0f0a-4bf2-3584-08d90a52d9d9,c7132cbe-0f0a-4bf2-3584-08d90a52d9d9,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:34:23.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/office_activity_inbox_rule.csv,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,office_activity_inbox_rule.csv,office_activity_inbox_rule.csv,csv,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,fb4f8817-f8a0-4a1d-e0a7-08d90a52b7d4,fb4f8817-f8a0-4a1d-e0a7-08d90a52b7d4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:34:06.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/office_activity_inbox_rule.csv,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,40.126.35.152,40.126.35.152,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,office_activity_inbox_rule.csv,office_activity_inbox_rule.csv,csv,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,e0d29b8f-e1d6-4d63-1287-08d90a52ad85,e0d29b8f-e1d6-4d63-1287-08d90a52ad85,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:40.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/tvwh58kk.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SitePages,SitePages,tvwh58kk.aspx,tvwh58kk.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,8112fc68-2aec-40ae-d77c-08d90a529e3c,8112fc68-2aec-40ae-d77c-08d90a529e3c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:33:37.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/02978ea5-6005-4b42-b97e-beb977001d59,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,7f7ecfad-fc1c-4e32-10ad-08d90a529c32,7f7ecfad-fc1c-4e32-10ad-08d90a529c32,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:33:37.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/02978ea5-6005-4b42-b97e-beb977001d59,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ddcc1ded-ba79-46f5-fdaf-08d90a529c1e,ddcc1ded-ba79-46f5-fdaf-08d90a529c1e,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:33:37.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/02978ea5-6005-4b42-b97e-beb977001d59,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,b9a3de44-c0f3-4101-3561-08d90a529c58,b9a3de44-c0f3-4101-3561-08d90a529c58,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:35.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/tvwh58kk.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SitePages,SitePages,tvwh58kk.aspx,tvwh58kk.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,a288a713-92cd-4d2d-44ca-08d90a529af0,a288a713-92cd-4d2d-44ca-08d90a529af0,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:32.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/adelev_m365x816222_onmicrosoft_com_MThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,adelev_m365x816222_onmicrosoft_com_MThumb.jpg,adelev_m365x816222_onmicrosoft_com_MThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0721b2af-329b-4f27-6896-08d90a529905,0721b2af-329b-4f27-6896-08d90a529905,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:33:29.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/_layouts/15/sitepagepreview.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,794cd399-90a1-4124-09a4-08d90a529735,794cd399-90a1-4124-09a4-08d90a529735,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:26.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Drone.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Drone.jpg,Drone.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ca2bb736-3a7a-4175-4cf7-08d90a5295b7,ca2bb736-3a7a-4175-4cf7-08d90a5295b7,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:33:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Drone.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Drone.jpg,Drone.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,31b4a077-277c-4b68-f22d-08d90a529500,31b4a077-277c-4b68-f22d-08d90a529500,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:23.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/_catalogs/theme/Themed/6D9736C8/theme.spcolor,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,_catalogs/theme/Themed/6D9736C8,_catalogs/theme/Themed/6D9736C8,theme.spcolor,theme.spcolor,spcolor,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,32dce92e-61b7-4cdc-0658-08d90a5293ab,32dce92e-61b7-4cdc-0658-08d90a5293ab,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:33:23.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,224a7e99-2225-4b4f-779c-08d90a52941d,224a7e99-2225-4b4f-779c-08d90a52941d,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeAdmin,"4/28/2021, 2:33:14.000 PM",New-InboxRule,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,10032000C757D25F,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/M365x816222.onmicrosoft.com/AdeleV\junk,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99:17362,175.45.176.99:17362,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""AlwaysDeleteOutlookRulesBlob"", + ""Value"": ""False"" + }, + { + ""Name"": ""Force"", + ""Value"": ""False"" + }, + { + ""Name"": ""Name"", + ""Value"": ""junk"" + }, + { + ""Name"": ""SubjectContainsWords"", + ""Value"": ""legal"" + }, + { + ""Name"": ""PinMessage"", + ""Value"": ""True"" + }, + { + ""Name"": ""StopProcessingRules"", + ""Value"": ""True"" + } +]",FALSE,MWHPR06MB3440 (15.20.4065.028),M365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,5fe96415-d129-4e4b-64b7-08d90a528ec7,5fe96415-d129-4e4b-64b7-08d90a528ec7,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,50,"4/28/2021, 2:32:47.000 PM",MailItemsAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,"[ + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + } +]",,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,82090d3a-0ed7-4bb6-8fc4-330415f4808d,82090d3a-0ed7-4bb6-8fc4-330415f4808d,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""Value"":""Bind"",""Name"":""MailAccessType""},{""Value"":""False"",""Name"":""IsThrottled""}]",,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:32:47.000 PM",Update,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99,175.45.176.99,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,,,"{ + ""Attachments"": ""Northwind CEO.jpg (834476b); Northwind Financials.xlsx (16711b); Northwind Acquisition Outline.pptx (842521b); Northwind Acquisition Proposal.docx (104356b)"", + ""Id"": ""RgAAAAC4lQ2Ye4hSS4if7gF6ji8JBwA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAA45WDUjdASSYqMiyC3ZEqOAAAAM0XUAAAJ"", + ""InternetMessageId"": """", + ""IsRecord"": false, + ""ParentFolder"": { + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + ""Subject"": ""Northwind Acquisition Details"" +}","[ + ""AttachmentCollection"" +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,b4f857db-dc5e-4781-7557-08d90a527ebf,b4f857db-dc5e-4781-7557-08d90a527ebf,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:32:44.000 PM",Send,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99,175.45.176.99,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,,,"{ + ""Id"": ""RgAAAAC4lQ2Ye4hSS4if7gF6ji8JBwA45WDUjdASSYqMiyC3ZEqOAAAAAAEPAAA45WDUjdASSYqMiyC3ZEqOAADT/RnWAAAJ"", + ""InternetMessageId"": """", + ""ParentFolder"": { + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEPAAAB"", + ""Path"": ""\\Drafts"" + }, + ""Subject"": ""email from HR"" +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,c8b6ba59-89e6-43f7-8e10-08d90a527ca9,c8b6ba59-89e6-43f7-8e10-08d90a527ca9,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:30:58.000 PM",MemberAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Application,62b732f7-fc71-40bc-b27d-35efcb0509de,MicrosoftTeams,,,,Microsoft Teams Sync,Microsoft Teams Sync,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:37:21.000 PM",,,,,,,OfficeActivityManager,2c375d38-2410-5b98-81bf-c25d47d06855,2c375d38-2410-5b98-81bf-c25d47d06855,,,"4/28/2021, 2:37:21.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,"[{""DisplayName"":""JohnS"",""Role"":2,""UPN"":""JohnS@m365x816222.onmicrosoft.com""}]",Contoso,19:eedd8dfb45a54bd691d019e15ae19096@thread.tacv2,,,,[],,,,,,,Contoso,,,Team,6fa90788-d066-47c9-90e4-5ad27625d45f,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:53.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,aad56edf-bda3-4c84-0c6e-08d90a523a69,aad56edf-bda3-4c84-0c6e-08d90a523a69,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Retail,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,df982fae-217f-4cc3-9599-4516027e6db3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,b933e9b5-9774-4772-d0cf-08d90a5237d6,b933e9b5-9774-4772-d0cf-08d90a5237d6,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,a372912e-bb3c-4ecb-53b2-08d90a52385c,a372912e-bb3c-4ecb-53b2-08d90a52385c,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/2020-Campus-remodel-updates.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,17833927-5988-4384-7847-08d90a5237f2,17833927-5988-4384-7847-08d90a5237f2,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Retail,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,df982fae-217f-4cc3-9599-4516027e6db3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,9c00decc-aac6-4286-01d9-08d90a52385a,9c00decc-aac6-4286-01d9-08d90a52385a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/Consumer-drone-series-product-training.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,ac41d886-097d-4304-82e7-08d90a5237e7,ac41d886-097d-4304-82e7-08d90a5237e7,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,060797cd-4b54-476c-e594-08d90a523807,060797cd-4b54-476c-e594-08d90a523807,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:48.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/MiriamG_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,MiriamG_M365x816222_OnMicrosoft_com_SThumb.jpg,MiriamG_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,f9cc8d43-344e-4cef-3857-08d90a52379a,f9cc8d43-344e-4cef-3857-08d90a52379a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:48.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AllanD_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AllanD_M365x816222_OnMicrosoft_com_SThumb.jpg,AllanD_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,e5e894cd-e37f-4b12-07f9-08d90a5237a0,e5e894cd-e37f-4b12-07f9-08d90a5237a0,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PattiF_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PattiF_M365x816222_OnMicrosoft_com_SThumb.jpg,PattiF_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,f205f3da-b058-412c-42ca-08d90a52373d,f205f3da-b058-412c-42ca-08d90a52373d,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/SiteAssets/flags.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,SiteAssets,SiteAssets,flags.jpg,flags.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,15d77064-d12a-414a-548b-08d90a5236d5,15d77064-d12a-414a-548b-08d90a5236d5,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PradeepG_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PradeepG_M365x816222_OnMicrosoft_com_SThumb.jpg,PradeepG_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,0bd50c6c-c3c5-4c77-8873-08d90a52372d,0bd50c6c-c3c5-4c77-8873-08d90a52372d,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/SiteAssets/NewVPN.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,SiteAssets,SiteAssets,NewVPN.jpg,NewVPN.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,03c5eb7d-4838-49b6-84c6-08d90a5236fb,03c5eb7d-4838-49b6-84c6-08d90a5236fb,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/breather.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,breather.jpg,breather.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,b6ad60a5-0c8c-4b2f-d7bd-08d90a523667,b6ad60a5-0c8c-4b2f-d7bd-08d90a523667,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/mentorship.jpeg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,mentorship.jpeg,mentorship.jpeg,jpeg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,1f03fdcd-29fb-4764-dffc-08d90a52369f,1f03fdcd-29fb-4764-dffc-08d90a52369f,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Drone.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Drone.jpg,Drone.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,44109e61-dcf4-456b-c106-08d90a52365a,44109e61-dcf4-456b-c106-08d90a52365a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Meeting.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Meeting.jpg,Meeting.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,ae3b851e-a3f8-4ca4-cdc5-08d90a52364f,ae3b851e-a3f8-4ca4-cdc5-08d90a52364f,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:39.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,75efa127-a286-4069-0e19-08d90a523263,75efa127-a286-4069-0e19-08d90a523263,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:38.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/sharepoint.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,0da0829c-5897-4773-a4b6-08d90a52318b,0da0829c-5897-4773-a4b6-08d90a52318b,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:18.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/first_day_in_org.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,first_day_in_org.docx,first_day_in_org.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,8d2d88ac-12fd-4d62-b532-08d90a5225b3,8d2d88ac-12fd-4d62-b532-08d90a5225b3,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:16.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/first_day_in_org.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,first_day_in_org.docx,first_day_in_org.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,da0c7a1b-506a-4f7a-0e10-08d90a5224ab,da0c7a1b-506a-4f7a-0e10-08d90a5224ab,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,SharePointFileOperation,"4/28/2021, 2:30:15.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/first_day_in_org.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.114.128.197,52.114.128.197,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,first_day_in_org.docx,first_day_in_org.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,af2040ab-233a-4134-919c-08d90a5223cc,af2040ab-233a-4134-919c-08d90a5223cc,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:29:56.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,6fe14943-2149-440b-5fc0-08d90a52184a,6fe14943-2149-440b-5fc0-08d90a52184a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:29:56.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/Forms/AllItems.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,9a32207a-90c7-4aba-ead3-08d90a521872,9a32207a-90c7-4aba-ead3-08d90a521872,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItemGroup,"4/28/2021, 2:29:22.000 PM",MoveToDeletedItems,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99,175.45.176.99,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,"{ + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" +}",,,,,,"{ + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEKAAAB"", + ""Path"": ""\\Deleted Items"" +}",,"[ + { + ""Attachments"": ""f339bfc4-d87d-4f3c-a7a1-d0d1a07d105d (3328b); 6329babb-2d4f-47d3-8a76-edcf5fc25644 (1805b); 7f8360ca-631b-4ca5-923c-72437006e5a0 (2242b); 405f2be0-ec95-41d3-95c4-4a21b8ef64b2 (5586b); e6eda73f-9b43-42b8-a6c0-c3d88a9cb412 (3838b)"", + ""Id"": ""RgAAAAC4lQ2Ye4hSS4if7gF6ji8JBwA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAA45WDUjdASSYqMiyC3ZEqOAADT/M9uAAAJ"", + ""InternetMessageId"": """", + ""ParentFolder"": { + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + ""Subject"": ""JohnS shared \""Document\"" with you."" + } +]",,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,8ad5ae00-73a9-41e5-c35d-08d90a520461,8ad5ae00-73a9-41e5-c35d-08d90a520461,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,50,"4/28/2021, 2:29:15.000 PM",MailItemsAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,"[ + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + } +]",,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,987a6a22-4008-4682-bf04-fccf5e7e6d6c,987a6a22-4008-4682-bf04-fccf5e7e6d6c,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""Value"":""Bind"",""Name"":""MailAccessType""},{""Value"":""False"",""Name"":""IsThrottled""}]",00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficeWordCA,SharePointFileOperation,"4/28/2021, 2:28:02.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,77683faa-288c-4f3a-cc73-08d90a51d469,77683faa-288c-4f3a-cc73-08d90a51d469,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:28:01.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,f54d7c8b-9d8a-4bc4-17e5-08d90a51d407,f54d7c8b-9d8a-4bc4-17e5-08d90a51d407,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:23:54.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/Windows Event Filtering Preview Document (1).pdf,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,Windows Event Filtering Preview Document (1).pdf,Windows Event Filtering Preview Document (1).pdf,pdf,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f0e5919a-5f47-48bd-6764-08d90a5140e9,f0e5919a-5f47-48bd-6764-08d90a5140e9,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,SharePointFileOperation,"4/28/2021, 2:23:48.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/Windows Event Filtering Preview Document (1).pdf,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.193,52.114.159.193,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,Windows Event Filtering Preview Document (1).pdf,Windows Event Filtering Preview Document (1).pdf,pdf,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,116819de-25f5-43ec-9d39-08d90a513d29,116819de-25f5-43ec-9d39-08d90a513d29,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:23:38.000 PM",TeamSettingChanged,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Application,,MicrosoftTeams,,,,Application,Application,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:22.000 PM",,,,,,,OfficeActivityManager,054bf48c-9728-4e32-b3ce-431d1707b35a,054bf48c-9728-4e32-b3ce-431d1707b35a,,,"4/28/2021, 2:32:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,,,,,Team description,,teams-public,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802/0c5e0085-eb30-494b-9cdd-ece1d3c649a2,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,cdcaaf0a-f303-4f9a-e6da-08d90a512c18,cdcaaf0a-f303-4f9a-e6da-08d90a512c18,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/0c5e0085-eb30-494b-9cdd-ece1d3c649a2,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f4c92fc1-81a7-443a-fb05-08d90a512c0c,f4c92fc1-81a7-443a-fb05-08d90a512c0c,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/03e45e84-1992-4d42-9116-26f756012634,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,0a9856e7-f6d8-466b-bfab-08d90a512c11,0a9856e7-f6d8-466b-bfab-08d90a512c11,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802/39360f11-34cf-4356-9945-25c44e68dade,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,b4070979-3493-4562-847e-08d90a512c16,b4070979-3493-4562-847e-08d90a512c16,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/39360f11-34cf-4356-9945-25c44e68dade,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,d8f6d8e0-ab02-4f24-0f4f-08d90a512c01,d8f6d8e0-ab02-4f24-0f4f-08d90a512c01,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802/03e45e84-1992-4d42-9116-26f756012634,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,64c12ba5-1790-4e33-ac78-08d90a512c1d,64c12ba5-1790-4e33-ac78-08d90a512c1d,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:23:16.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,36637dd5-fc8a-4e1f-b60f-08d90a512a34,36637dd5-fc8a-4e1f-b60f-08d90a512a34,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:23:16.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/Forms/AllItems.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,4575ae3b-b5eb-42b8-0284-08d90a512a62,4575ae3b-b5eb-42b8-0284-08d90a512a62,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,36,"4/28/2021, 2:23:15.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,474db61f-5a11-4e5e-c827-08d90a5129a4,474db61f-5a11-4e5e-c827-08d90a5129a4,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,36,"4/28/2021, 2:23:15.000 PM",ListCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/SiteAssets,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,30d220fc-498b-4c53-1b7c-08d90a512956,30d220fc-498b-4c53-1b7c-08d90a512956,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,56,"4/28/2021, 2:23:13.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,28249322-f441-4256-8e98-08d90a512849,28249322-f441-4256-8e98-08d90a512849,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,SharePointFileOperation,"4/28/2021, 2:23:12.000 PM",FolderCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Folder,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents,Shared Documents,General,General,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,28eed7ae-ebd4-44cd-aa31-08d90a5127a2,28eed7ae-ebd4-44cd-aa31-08d90a5127a2,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:23:12.000 PM",MemberAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,MicrosoftTeams,,,,JohnS@m365x816222.onmicrosoft.com,JohnS@m365x816222.onmicrosoft.com,52.114.159.193,52.114.159.193,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:37:21.000 PM",,,,,,,OfficeActivityManager,d8f1008f-25c5-5922-ab51-9da675ab9305,d8f1008f-25c5-5922-ab51-9da675ab9305,,,"4/28/2021, 2:37:21.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,"[{""DisplayName"":""Adele Vance"",""Role"":1,""UPN"":""AdeleV@M365x816222.OnMicrosoft.com""}]",teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,[],,,,,,,teams-public,,,Team,94c578e8-d0f4-41ef-83d2-be2a76a1400f,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:23:06.000 PM",ModifyFolderPermissions,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,S-1-5-18,Exchange,Succeeded,Succeeded,,S-1-5-18,S-1-5-18,::1,::1,,,,,,,,,,,,,,,,,,,,,,,,TRUE,"SJ0PR06MB6863 (15.20.4065.027) +",M365x816222.onmicrosoft.com,Admin,1,f1372c66-dab0-45f8-87df-5e742c5bd903,teams-public@M365x816222.onmicrosoft.com,S-1-5-21-430410588-604023349-2071471134-42767878,S-1-5-10,S-1-5-18,,Client=WebServices;Action=ConfigureGroupMailbox,::1,,,,,,,,,,,,,"{ + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""ParentFolder"": { + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""MemberRights"": ""ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed"", + ""MemberSid"": ""S-1-8-4046924902-1173936816-1952374663-64576300-0"", + ""MemberUpn"": ""Owner@local"", + ""Name"": ""Calendar"", + ""Path"": ""\\Calendar"" + } +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,16509af4-82ea-4c4f-0a65-08d90a512428,16509af4-82ea-4c4f-0a65-08d90a512428,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:23:06.000 PM",ModifyFolderPermissions,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,S-1-5-18,Exchange,Succeeded,Succeeded,,S-1-5-18,S-1-5-18,::1,::1,,,,,,,,,,,,,,,,,,,,,,,,TRUE,"SJ0PR06MB6863 (15.20.4065.027) +",M365x816222.onmicrosoft.com,Admin,1,f1372c66-dab0-45f8-87df-5e742c5bd903,teams-public@M365x816222.onmicrosoft.com,S-1-5-21-430410588-604023349-2071471134-42767878,S-1-5-10,S-1-5-18,,Client=WebServices;Action=ConfigureGroupMailbox,::1,,,,,,,,,,,,,"{ + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""ParentFolder"": { + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""MemberRights"": ""ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed"", + ""MemberSid"": ""S-1-8-4046924902-1173936816-1952374663-64576300-1"", + ""MemberUpn"": ""Member@local"", + ""Name"": ""Calendar"", + ""Path"": ""\\Calendar"" + } +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,8e40642e-e06b-4eb5-0a65-08d90a512428,8e40642e-e06b-4eb5-0a65-08d90a512428,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:23:05.000 PM",Create,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,S-1-5-18,Exchange,Succeeded,Succeeded,,S-1-5-18,S-1-5-18,::1,::1,,,,,,,,,,,,,,,,,,,,,,,,TRUE,"SJ0PR06MB6863 (15.20.4065.027) +",M365x816222.onmicrosoft.com,Admin,1,f1372c66-dab0-45f8-87df-5e742c5bd903,teams-public@M365x816222.onmicrosoft.com,S-1-5-21-430410588-604023349-2071471134-42767878,S-1-5-10,S-1-5-18,,Client=WebServices;Action=ConfigureGroupMailbox,::1,,,,,,,,,,,,,"{ + ""Attachments"": ""warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)"", + ""Id"": ""RgAAAACRWujRwNJ9RKSKOkph68UvBwDQUEVAC21wS7ULV3upjkXiAAAAAAEMAADQUEVAC21wS7ULV3upjkXiAAAAAAk9AAAJ"", + ""InternetMessageId"": """", + ""IsRecord"": false, + ""ParentFolder"": { + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + ""Subject"": ""The new teams-public group is ready"" +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,f4c49b0a-a982-434b-9901-08d90a512382,f4c49b0a-a982-434b-9901-08d90a512382,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:05.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Members,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,c927aff1-50c9-4ceb-a7e0-08d90a51234c,c927aff1-50c9-4ceb-a7e0-08d90a51234c,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,Everyone except external users,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Members,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,84e64a2a-9307-4cbd-e7bc-08d90a5122ea,84e64a2a-9307-4cbd-e7bc-08d90a5122ea,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,teams-public Members,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,e0f6f4be-eb10-4d23-83fa-08d90a512307,e0f6f4be-eb10-4d23-83fa-08d90a512307,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,469553bf-6c4c-4a79-999d-08d90a5122dc,469553bf-6c4c-4a79-999d-08d90a5122dc,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f2e8e5d8-c81f-491e-712e-08d90a5122f4,f2e8e5d8-c81f-491e-712e-08d90a5122f4,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,teams-public Owners,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePoint,"4/28/2021, 2:23:03.000 PM",SiteCollectionCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Site,SharePoint,,,,,,,,,,,,,,,,,TeamsServiceTrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,b73f4c1b-6f2b-4e01-c682-08d90a512267,b73f4c1b-6f2b-4e01-c682-08d90a512267,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:02.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,61fd91ef-a12d-4721-0613-08d90a512206,61fd91ef-a12d-4721-0613-08d90a512206,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,teams-public Owners,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:02.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,664786b1-701f-4420-46a6-08d90a5121a4,664786b1-701f-4420-46a6-08d90a5121a4,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:22:58.000 PM",TeamCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,MicrosoftTeams,,,,JohnS@m365x816222.onmicrosoft.com,JohnS@m365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:22.000 PM",,,,,,,OfficeActivityManager,0812be53-9eaf-4304-bcfe-4b81aeb9a367,0812be53-9eaf-4304-bcfe-4b81aeb9a367,,,"4/28/2021, 2:32:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:22:58.000 PM",MemberAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,MicrosoftTeams,,,,JohnS@m365x816222.onmicrosoft.com,JohnS@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:22.000 PM",,,,,,,OfficeActivityManager,84dba6d5-0e56-5921-a92c-20878b528c38,84dba6d5-0e56-5921-a92c-20878b528c38,,,"4/28/2021, 2:32:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,"[{""DisplayName"":""JohnS"",""Role"":2,""UPN"":""JohnS@m365x816222.onmicrosoft.com""}]",teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,[],,,,,,,teams-public,,,Team,94c578e8-d0f4-41ef-83d2-be2a76a1400f,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:21:11.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/b887b6b2-4dcf-34fc-98b1-d5a42c605755,app@sharepoint,app@sharepoint,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,6f33ad8e-0af4-4c7b-9a10-08d90a50dfa5,6f33ad8e-0af4-4c7b-9a10-08d90a50dfa5,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,36,"4/28/2021, 2:21:11.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,app@sharepoint,app@sharepoint,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,01d9f43b-8260-4a94-fc4b-08d90a50dfa7,01d9f43b-8260-4a94-fc4b-08d90a50dfa7,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:21:11.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/617f8947-74b2-36bc-9f7e-21ded7029bb5,app@sharepoint,app@sharepoint,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,90ae59e0-ae77-4ea3-ae20-08d90a50df99,90ae59e0-ae77-4ea3-ae20-08d90a50df99,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:21:09.000 PM",FileDownloaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.241.63,52.184.241.63,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,50e65a09-be09-409c-a7b0-08d90a50de85,50e65a09-be09-409c-a7b0-08d90a50de85,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficeWordWRS,SharePointFileOperation,"4/28/2021, 2:21:09.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,42ef1ab8-a9ba-483d-97b5-08d90a50de92,42ef1ab8-a9ba-483d-97b5-08d90a50de92,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:21:08.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,464cb3cc-f3e1-4b23-6b39-08d90a50ddd8,464cb3cc-f3e1-4b23-6b39-08d90a50ddd8,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:21:08.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.244.53,52.184.244.53,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f8404e73-04e8-44e8-6188-08d90a50ddac,f8404e73-04e8-44e8-6188-08d90a50ddac,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/4fd1640e-2988-4908-8a5e-d723068965ca,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,eb0c8af7-35f9-49b6-84e1-08d90a50dabf,eb0c8af7-35f9-49b6-84e1-08d90a50dabf,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/5ccc8eb5-72e1-49c4-aa67-95298073a01e,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,052ddcbe-8189-4898-362b-08d90a50dab1,052ddcbe-8189-4898-362b-08d90a50dab1,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/62a871a6-8aa7-4231-85ad-d7d49d9723be,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c46ace86-3d94-4a88-ab46-08d90a50dac6,c46ace86-3d94-4a88-ab46-08d90a50dac6,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:21:03.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com//personal/johns_m365x816222_onmicrosoft_com/Lists/userActivityFeedHiddenListF4387007BE61432F8BDB85E6,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,List,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,userActivityFeedHiddenListF4387007-BE61-432F-8BDB-85E6B9679E4B,userActivityFeedHiddenListF4387007-BE61-432F-8BDB-85E6B9679E4B,,,,,,,,,,FalseTrue,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,021b4380-f558-4cdc-95c6-08d90a50daf1,021b4380-f558-4cdc-95c6-08d90a50daf1,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/c4fdb640-7a62-4dc3-a296-afd7f136c203,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,fa41f235-25af-49f5-c00a-08d90a50daba,fa41f235-25af-49f5-c00a-08d90a50daba,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/32e71079-0f25-48c7-8451-7e6b01a9156e,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,eb07b5aa-26fa-46aa-e52f-08d90a50dae0,eb07b5aa-26fa-46aa-e52f-08d90a50dae0,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:21:03.000 PM",ListCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/userActivityFeedHiddenListF4387007BE61432F8BDB85E6,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,b92fb798-d8c9-4a27-37d9-08d90a50da92,b92fb798-d8c9-4a27-37d9-08d90a50da92,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:21:03.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,282e8810-50aa-425d-0cd7-08d90a50dae8,282e8810-50aa-425d-0cd7-08d90a50dae8,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/d701a8fb-2a7c-4f58-90f9-43ff22a1f992,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,1c08da14-f57f-4055-34ed-08d90a50dad0,1c08da14-f57f-4055-34ed-08d90a50dad0,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/b8e37b3a-af31-4edb-b734-b3e868bc6458,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,a1bc15eb-dc71-4149-7001-08d90a50dacb,a1bc15eb-dc71-4149-7001-08d90a50dacb,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/d251efe5-08da-4434-8c87-5a6c7962c1e0,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,fb6ad07c-e3b4-4458-ab32-08d90a50dae5,fb6ad07c-e3b4-4458-ab32-08d90a50dae5,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:21:03.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/userActivityFeedHiddenListF4387007BE61432F8BDB85E6,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/,Lists,Lists,userActivityFeedHiddenListF4387007BE61432F8BDB85E6,userActivityFeedHiddenListF4387007BE61432F8BDB85E6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,18f90bab-f977-47f7-476b-08d90a50db02,18f90bab-f977-47f7-476b-08d90a50db02,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/51c44bb4-8390-4585-9a2c-1601d941627c,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,60ad692c-9459-4ba4-5c1b-08d90a50dad7,60ad692c-9459-4ba4-5c1b-08d90a50dad7,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/610bb61a-21f3-4d80-8451-fca45a094b9e,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,f9297936-3094-409a-20d3-08d90a50dadc,f9297936-3094-409a-20d3-08d90a50dadc,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/1b2d1c75-f84a-41be-9091-fa2a7af7959c,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,eca10cff-f076-43f1-4a79-08d90a50dac4,eca10cff-f076-43f1-4a79-08d90a50dac4,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/2abfd0f0-38ca-4a1d-9d84-57d1a46ae03a,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,54e0e672-151c-494c-f99a-08d90a50dad4,54e0e672-151c-494c-f99a-08d90a50dad4,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:53.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/d3c9caf7-044c-4c71-ae64-092981e54b33,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,411a0fbe-10de-4249-9007-08d90a50d4be,411a0fbe-10de-4249-9007-08d90a50d4be,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:20:53.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d69ef225-3253-4be9-f243-08d90a50d4c0,d69ef225-3253-4be9-f243-08d90a50d4c0,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:52.000 PM",SiteColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/00000000-0000-0000-0000-000000000000/ef991a83-108d-4407-8ee5-ccc0c3d836b9,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,b44f37b0-e68c-45f4-e523-08d90a50d450,b44f37b0-e68c-45f4-e523-08d90a50d450,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeAdmin,"4/28/2021, 2:20:52.000 PM",Set-SyncUser,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,DcAdmin,SpoolsProvisioning-ApplicationAccount@namprd06.prod.outlook.com,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/M365x816222.onmicrosoft.com/JohnS,SpoolsProvisioning-ApplicationAccount@namprd06.prod.outlook.com,SpoolsProvisioning-ApplicationAccount@namprd06.prod.outlook.com,52.179.168.21:53108,52.179.168.21:53108,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Identity"", + ""Value"": ""MmFkM2ZjNzktMTg1OS00MmZhLTkwMTEtNmY4ZGYyMjUxYjIyXDYxZjA4MjUwLTk5ZTUtNGQ4NS04MjEwLWNkOGY5NTcwYmIwZQ2"" + }, + { + ""Name"": ""EmailAddresses"", + ""Value"": ""SPO:SPO_2dab06c0-d0ca-4ce3-b75a-e036b7ce1290@SPO_2ad3fc79-1859-42fa-9011-6f8df2251b22"" + } +]",TRUE,BL0PR06MB4673 (15.20.4065.027),M365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,116fce8b-21f6-464d-ba7e-08d90a50d497,116fce8b-21f6-464d-ba7e-08d90a50d497,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,61109738-7d2b-4a0b-9fe3-660b1ff83505,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:52.000 PM",SiteColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/00000000-0000-0000-0000-000000000000/d3c9caf7-044c-4c71-ae64-092981e54b33,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,8db688cb-522e-4d05-07e9-08d90a50d496,8db688cb-522e-4d05-07e9-08d90a50d496,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePoint,"4/28/2021, 2:20:52.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For List fb27c059-5c1f-48c4-b6bc-e0dbce67c947"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,3c96632e-5c83-4405-2261-08d90a50d40e,3c96632e-5c83-4405-2261-08d90a50d40e,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePoint,"4/28/2021, 2:20:52.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For Web d0c1b100-1414-49bf-a2f2-9d993d091b8d"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,9947076d-a5c2-4e91-4998-08d90a50d415,9947076d-a5c2-4e91-4998-08d90a50d415,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:20:52.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,,,,,,,,,,,,Limited Access System Group For Web d0c1b100-1414-49bf-a2f2-9d993d091b8d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,1dd2011b-fe5b-4f78-abbe-08d90a50d417,1dd2011b-fe5b-4f78-abbe-08d90a50d417,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,adelev@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:52.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/ef991a83-108d-4407-8ee5-ccc0c3d836b9,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d417c472-18cc-4c70-f55b-08d90a50d482,d417c472-18cc-4c70-f55b-08d90a50d482,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:20:52.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,,,,,,,,,,,,SharingLinks.5dab2cdb-219b-4c2d-9da1-a31eed19c2e7.OrganizationEdit.08ac0b39-8bb1-47f4-9360-128ce3b44429,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,218e00e2-79cc-45a7-fc23-08d90a50d406,218e00e2-79cc-45a7-fc23-08d90a50d406,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,adelev@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:20:52.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,,,,,,,,,,,,Limited Access System Group For List fb27c059-5c1f-48c4-b6bc-e0dbce67c947,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,71a4f3bb-bb06-4696-85d1-08d90a50d410,71a4f3bb-bb06-4696-85d1-08d90a50d410,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,adelev@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:20:52.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,4e9514fd-616d-4222-58da-08d90a50d485,4e9514fd-616d-4222-58da-08d90a50d485,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:52.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,370ed3f6-2df2-48ee-c748-08d90a50d416,370ed3f6-2df2-48ee-c748-08d90a50d416,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:51.000 PM",CompanyLinkCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Shared Documents/Document.docx,Shared Documents/Document.docx,Document.docx,Document.docx,docx,,,,,,,EditTrue,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,82bf93dc-2f8a-4a1f-37cd-08d90a50d3e3,82bf93dc-2f8a-4a1f-37cd-08d90a50d3e3,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:51.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso//sites/Contoso/Sharing Links,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Sharing Links,Sharing Links,,,,,,,,,,FalseFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,034005dc-8afd-4d24-1299-08d90a50d3bd,034005dc-8afd-4d24-1299-08d90a50d3bd,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:50.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""SharingLinks.5dab2cdb-219b-4c2d-9da1-a31eed19c2e7.OrganizationEdit.08ac0b39-8bb1-47f4-9360-128ce3b44429"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,bf703254-6652-4955-04b6-08d90a50d34d,bf703254-6652-4955-04b6-08d90a50d34d,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:50.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Shared Documents/Document.docx,Shared Documents/Document.docx,Document.docx,Document.docx,docx,,,,,,,ContributeTrue,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,2a3675ff-f722-45fd-b4b6-08d90a50d35d,2a3675ff-f722-45fd-b4b6-08d90a50d35d,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,SharingLinks.5dab2cdb-219b-4c2d-9da1-a31eed19c2e7.OrganizationEdit.08ac0b39-8bb1-47f4-9360-128ce3b44429,SharePointGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:50.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Shared Documents/Document.docx,Shared Documents/Document.docx,Document.docx,Document.docx,docx,,,,,,,TrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,263ac451-693b-484e-8d9f-08d90a50d356,263ac451-693b-484e-8d9f-08d90a50d356,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:50.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso//sites/Contoso/Shared Documents,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,DocumentLibrary,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Documents,Documents,,,,,,,,,,TrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,82db0f67-1b83-4916-c8de-08d90a50d351,82db0f67-1b83-4916-c8de-08d90a50d351,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:48.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,cf6fbef6-ea2c-41ff-76e3-08d90a50d20e,cf6fbef6-ea2c-41ff-76e3-08d90a50d20e,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:39.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedViewViewListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c3765379-38bd-4a29-1047-08d90a50cc4f,c3765379-38bd-4a29-1047-08d90a50cc4f,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:39.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,,,,,,,,,,,,,,"Restricted ViewViewListItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, ViewItemsRequiresOpen",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c2831e4b-b2a8-4890-d542-08d90a50cc53,c2831e4b-b2a8-4890-d542-08d90a50cc53,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:39.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedEditViewListItems, AddListItems, EditListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d4990786-9ab8-4cd8-72f0-08d90a50cc51,d4990786-9ab8-4cd8-72f0-08d90a50cc51,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:38.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/_layouts/15/sharedialog.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,f9968a63-14af-4c49-fd46-08d90a50cbf2,f9968a63-14af-4c49-fd46-08d90a50cbf2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:20:36.000 PM",FileModifiedExtended,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.246.81,52.184.246.81,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,1e6c39ad-46ed-4b5d-9b16-8ad94beaacb9,1e6c39ad-46ed-4b5d-9b16-8ad94beaacb9,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:31.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/OfficeExtensionManager.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,0dbdc667-f6fe-4830-738e-08d90a50c79d,0dbdc667-f6fe-4830-738e-08d90a50c79d,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:30.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,b0bde7e9-df19-4adc-d226-08d90a50c756,b0bde7e9-df19-4adc-d226-08d90a50c756,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:30.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,f7be2edb-b583-4164-9e9a-08d90a50c712,f7be2edb-b583-4164-9e9a-08d90a50c712,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:28.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/IdleWarning.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,85d6ea26-68df-4380-b4c6-08d90a50c603,85d6ea26-68df-4380-b4c6-08d90a50c603,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:20:27.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.243.211,52.184.243.211,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,90580a19-45c1-4eec-9292-08d90a50c5f8,90580a19-45c1-4eec-9292-08d90a50c5f8,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,e8216e72-9aed-4625-e416-08d90a50c3ff,e8216e72-9aed-4625-e416-08d90a50c3ff,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:24.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,511f3f5c-21a3-4856-8423-08d90a50c3de,511f3f5c-21a3-4856-8423-08d90a50c3de,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:21.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ac58679f-2b49-4f60-31b2-08d90a50c202,ac58679f-2b49-4f60-31b2-08d90a50c202,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:21.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,95a3cb0d-984d-4bcd-0a7f-08d90a50c1fb,95a3cb0d-984d-4bcd-0a7f-08d90a50c1fb,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:21.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,9220538d-0499-4823-a66f-08d90a50c217,9220538d-0499-4823-a66f-08d90a50c217,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:18.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ee43528f-085a-4133-cedd-08d90a50c047,ee43528f-085a-4133-cedd-08d90a50c047,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:17.000 PM",ClientViewSignaled,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Forms/AllItems.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,3bf4ef74-5c8a-4d65-3542-08d90a50bf2b,3bf4ef74-5c8a-4d65-3542-08d90a50bf2b,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:16.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,01bda5b8-6bac-4ab3-4c46-08d90a50beac,01bda5b8-6bac-4ab3-4c46-08d90a50beac,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:15.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/admin_m365x816222_onmicrosoft_com_SThumb.jpg,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,admin_m365x816222_onmicrosoft_com_SThumb.jpg,admin_m365x816222_onmicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c1609139-20c5-423f-845c-08d90a50be32,c1609139-20c5-423f-845c-08d90a50be32,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:13.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/_layouts/15/listhost.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,5d819f12-7341-44fe-9570-08d90a50bd1b,5d819f12-7341-44fe-9570-08d90a50bd1b,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:13.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,a772b0f7-69db-49ab-d706-08d90a50bd0f,a772b0f7-69db-49ab-d706-08d90a50bd0f,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:11.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,aecd9a7c-3f57-4e70-8f95-08d90a50bbd2,aecd9a7c-3f57-4e70-8f95-08d90a50bbd2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:11.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Forms/AllItems.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,681cfea7-290e-4167-5424-08d90a50bbf6,681cfea7-290e-4167-5424-08d90a50bbf6,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:09.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/_layouts/15/online/handlers/SpoSuiteLinks.ashx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ccfddcb0-7ac2-49b1-c2e3-08d90a50bac2,ccfddcb0-7ac2-49b1-c2e3-08d90a50bac2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:07.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,42e1b87e-2a57-491e-8a3c-08d90a50b996,42e1b87e-2a57-491e-8a3c-08d90a50b996,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:02.000 PM",SharingPolicyChanged,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""ShareUsingAnonymousLinks"", + ""NewValue"": ""Enabled"", + ""OldValue"": ""Disabled"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ebaef089-bc0f-4f7e-4561-08d90a50b63f,ebaef089-bc0f-4f7e-4561-08d90a50b63f,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:01.000 PM",SiteCollectionAdminRemoved,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""SiteAdmin"", + ""NewValue"": """", + ""OldValue"": """" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,51c422a3-539c-4fc5-67c4-08d90a50b5a2,51c422a3-539c-4fc5-67c4-08d90a50b5a2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:01.000 PM",SiteCollectionCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Site,SharePoint,,,,,,,,,,,,,,,,,APITrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,394b0f40-24a7-4231-49ea-08d90a50b5e2,394b0f40-24a7-4231-49ea-08d90a50b5e2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:00.000 PM",SharingPolicyChanged,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""ShareWithGuests"", + ""NewValue"": ""Enabled"", + ""OldValue"": ""Disabled"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,3fbbc20b-6350-4147-a0e8-08d90a50b536,3fbbc20b-6350-4147-a0e8-08d90a50b536,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:00.000 PM",SiteCollectionAdminAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""SiteAdmin"", + ""NewValue"": ""JohnS@m365x816222.onmicrosoft.com"", + ""OldValue"": """" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,93fcbc97-2013-40e3-9c89-08d90a50b593,93fcbc97-2013-40e3-9c89-08d90a50b593,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:19:30.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d7709296-8b97-4f33-4a81-08d90a50a334,d7709296-8b97-4f33-4a81-08d90a50a334,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:19:28.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,2b4016e5-f2ce-4875-6596-08d90a50a230,2b4016e5-f2ce-4875-6596-08d90a50a230,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeAdmin,"4/28/2021, 4:43:51.000 AM",New-Mailbox,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,DcAdmin,NT AUTHORITY\SYSTEM (w3wp),Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/M365x816222.onmicrosoft.com/SearchInsightsConnector01_33b68b23-a6c2-4684-99a0-fa3832792226,NT AUTHORITY\SYSTEM (w3wp),NT AUTHORITY\SYSTEM (w3wp),[2603:1036:4:3f::5]:1672,[2603:1036:4:3f::5]:1672,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Arbitration"", + ""Value"": ""True"" + }, + { + ""Name"": ""OrgPartition"", + ""Value"": ""True"" + }, + { + ""Name"": ""OrgPartitionOwner"", + ""Value"": ""33b68b23-a6c2-4684-99a0-fa3832792226"" + }, + { + ""Name"": ""DomainController"", + ""Value"": ""BN6PR06A03DC004.NAMPR06A003.prod.outlook.com"" + }, + { + ""Name"": ""SkipEapForArbitration"", + ""Value"": ""True"" + }, + { + ""Name"": ""Organization"", + ""Value"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"" + } +]",TRUE,DM5PR06MB2489 (15.20.4065.026),M365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 4:51:57.000 AM",,,,,,,OfficeActivityManager,993271dd-415e-441f-cfe9-08d90a003866,993271dd-415e-441f-cfe9-08d90a003866,,,"4/28/2021, 4:51:57.000 AM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,33b68b23-a6c2-4684-99a0-fa3832792226,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity, diff --git a/src/SecurityInsights/test/sampleData/SecurityEvent.csv b/src/SecurityInsights/test/sampleData/SecurityEvent.csv new file mode 100644 index 000000000000..e351284bde89 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/SecurityEvent.csv @@ -0,0 +1,76458 @@ +Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,SourceComputerId,EventOriginId,TimeCollected [UTC],AccessList,AccessMask,AdditionalInfo,AdditionalInfo2,AuthenticationPackageName,CallerProcessId,RelativeTargetName +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2afc94b0-5a4b-40e6-8542-bf5d5d26a141,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c121ccf-e504-46d5-8567-05f2260bc1ff,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35f834b1-df79-4044-ab1b-009992bd04e8,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cd803ef-2aa3-40dc-a938-e565b3c221a4,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4791ede3-61fe-4247-901e-249e2c390049,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + 583da945-62af-10e8-4902-a8f205c72b2e + %%4418 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",5145,5145 - A network share object was checked to see whether client can be granted desired access.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:43.862 AM","%%4418 ",0x10000,,,NTLM,,583da945-62af-10e8-4902-a8f205c72b2e +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21e6ec12-275e-4245-be9a-09c325d65b85,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a6db7a5-a2d0-4595-9dc0-b44fb7afc5bf,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + 583da945-62af-10e8-4902-a8f205c72b2e + %%4418 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",5145,5145 - A network share object was checked to see whether client can be granted desired access.,f6638b82-98a5-4542-8bec-6bc0977f793f,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:42.862 AM","%%4418 ",0x10000,,,NTLM,,583da945-62af-10e8-4902-a8f205c72b2e +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a319007-db4c-466b-a4cd-d5f7adb349d9,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6d8d965-a986-46e0-ab38-89b04a5a88fd,"4/16/2021, 9:09:00.730 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06b66dab-f97e-4c31-9c5a-72b007f63103,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ea28324-812c-483f-9533-43bb9fd05f49,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8af8e21-e459-4a24-8554-e2561f001dc4,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4793792-e5ab-44ed-b2ca-f440043ac112,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1198161-f8be-4d2f-8217-80dc3c9760da,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,487c4039-8108-4c55-aab6-e0ec00f23585,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b1f3ea4-d42f-413f-928b-426cb71271cb,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07afcff3-3e1a-49ae-92f3-f954932ba5aa,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec3e4f94-c07a-41d8-a57b-094f4ce2b0ce,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c18979c-fc2d-4ee7-9005-9e9a5b28caaa,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a28d3eb-ab69-46ba-bb35-9f5214897293,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,74a7c1e5-c11b-4eed-a53b-b5ea52ac224c,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,50922fc2-e327-4aa4-93d0-9253cc9e6bcd,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\HELPDESK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06ab4987-55ac-4647-a46a-52537e6bbf87,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\MIKE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c78102f7-2a19-42c8-9255-9a662eae56d7,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7131d2c1-286f-428b-9e83-83d2ec5c8729,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f1c70f04-0111-4620-9bee-127f7ae6014c,"4/16/2021, 9:11:13.620 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,91095df4-0a32-4077-a592-64e793105d3b,"4/16/2021, 9:11:13.620 AM",,,,,,, +\PC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f1e835a-8003-4137-a40e-584a2fe1de31,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7904 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af02b155-e5d4-480e-b570-3f551355730c,"4/16/2021, 9:11:13.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3652 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71f49696-21dd-416c-8e01-5a15f5b265c4,"4/16/2021, 9:11:13.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8108 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,598614d0-089b-4feb-a42c-58a0758f92a6,"4/16/2021, 9:11:56.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748ef16c-4f58-4e37-acdf-36cc2db7fa12,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2038142-efec-4f23-9e85-2d3b1e0d902f,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b0840e1-375d-45e5-88ae-050d4a8f0e74,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8103eac-fccd-487e-9870-33168811fe3e,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79b66b42-3303-4e02-9c70-9c1206cd3993,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1f40fbc-6636-4244-aad7-0069d9ce9e51,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edd025da-19a6-4d40-a7ef-a509ddaec3cf,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa87e824-fbdc-4aca-8606-e4bff0e0ce71,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf928687-66b3-4189-9506-fc4dc48fa5aa,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e6f2b53-c28c-427f-a790-22766cedd83c,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91643cdd-0f44-4dfa-92b2-ee53cedf25e5,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1e05a0c-6056-4abb-a29a-4eefb2006e39,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6198d064-d870-4cb1-98cc-5a3870391117,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bbef50f-c2bc-47ae-928d-a38b91d81c4c,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220c9c13-cb24-4096-9781-e358e0854e03,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cd7e3c0-ee95-44a9-bf42-25e86aae360a,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2e16e7e-b86a-4906-a28d-2c19387c070c,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,289c4013-1a35-4459-9d42-5b10f63aab59,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa72c459-826e-43dc-bbde-ece9213c4324,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,577ac2b4-deb7-44a4-ac91-c1906d3f64d8,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd9a234-93f3-4151-a364-37fd8ad66a04,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4e73f31-2aad-4cc6-bf55-df2bde6e6be4,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51c4e864-b51f-4690-acc8-17eb10a07e98,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,530f05e9-9bb3-4cb7-aed7-e168f84d9bf1,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,42749d15-2708-43e1-8301-751e15314ad2,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6608 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b452d3b-da57-40ac-bb7a-a99773525d38,"4/16/2021, 9:15:55.623 AM",,,,,,, +CONTOSO\CLIENTPC$,Machine,ClientPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + 583da945-62af-10e8-4902-a8f205c72b2e + %%4418 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",5145,5145 - A network share object was checked to see whether client can be granted desired access.,f6638b82-98a5-4542-8bec-6bc0977f793f,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:42.862 AM","%%4418 ",0x10000,,,NTLM,,583da945-62af-10e8-4902-a8f205c72b2e +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7136 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,09fe1526-7583-4b2d-a6fb-110527cfd993,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba031d91-b7d5-4316-a91d-4e17a2e5653c,"4/16/2021, 9:15:55.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,385d6080-092d-4df3-8d4f-31e01274c8b7,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e8f8e0d-c463-4f58-b0ff-3014b1cbd01d,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3272 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2f70b662-0576-4e8f-91c6-11da9cef9716,"4/16/2021, 9:17:09.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c658b483-b06e-4f90-9766-769fc6faec1a,"4/16/2021, 9:17:09.881 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7f6904cd-84f1-4e83-8201-62e0b787042c,"4/16/2021, 9:17:09.881 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bbd976fc-3fe1-45f3-928b-ee2b503c637a,"4/16/2021, 9:17:09.881 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b81d1c64-82bf-4a66-b43a-25a18d1c3c19,"4/16/2021, 9:17:09.881 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,adf9be15-46b7-47be-8371-a504bd42c5f4,"4/16/2021, 9:17:09.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6824 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,44ba7a56-fe2f-4dc4-8d91-c5b4689b3790,"4/16/2021, 9:17:09.881 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d0e5844-78a0-4c10-b57d-542f63ac2284,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a78d9fa6-9506-4156-bbac-f57de9753b12,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e61bd567-276d-400d-b13d-0b4557668df1,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b717bf9-01f1-4ebe-aa89-e9cd981cabef,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e670311d-c87f-46e5-bbf3-8eaff97d433e,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e8f14b1-3ca6-4644-95fd-5c6ee5e5580a,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3dec98d-e1af-4bfe-b4e4-04c65917ca41,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371e9b90-1712-472a-a42c-48e152f3b43e,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\webadminuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee974d4a-27e7-478b-b6fb-36a0c0498491,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d42939-cd6f-49f5-a42a-5ab2364de2f4,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a7dcd60-8b05-4d5f-ba60-1ad6a585f238,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\marcelo,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b93ceb9-c3fe-48a5-a5bc-847208222a2c,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaff5596-56ed-476f-bd38-a1a963369b0c,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fbda712-1df3-4c49-8131-648bfe93f9d2,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aa547ba-8469-4f71-8f2e-83b769ce1309,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4bfdb86-1b8e-4de5-a338-71c079295009,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,effdf36e-0b48-4381-830b-d5c1eaae56a7,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6212810-a75c-4533-a4b5-e59354a22b06,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f2f62f7-e9f3-442f-9f43-ebd2843220aa,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a281a655-484b-4def-8e74-08c40e9ee3b7,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ba75a1b-4b95-4ffc-81ed-1f20edfab632,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\user18,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bdb2a5a-9b36-44f2-bba2-165a22896e46,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2f3cc54-0a33-4ced-abbd-02623a2f96ba,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f1e6188-d9d6-47ec-bc2c-a9af7f94ee9d,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d49501ff-6972-42c4-99ab-46beb39519c9,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c80f327-7a79-4170-9c7c-66e31fe418bf,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92fc7c07-d515-4219-8aa8-552ff7cd7190,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acc5f42f-25c9-4b0b-85b7-b2bf8ba3b3e0,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b72faa8-f37f-4894-ae73-6143c7a6ceca,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a202a0f8-3176-4daa-84a3-48ce6b66ea9b,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\VPN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8c37aa9-0ac3-4f8d-9949-af063b68c9e7,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,186849e0-1378-4435-95ad-ec62eaaab8dd,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,988ce9cd-a463-4ad3-b90e-e7b2a485ee6e,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4a67b73-bbbc-40aa-a76e-0d1c79b992c3,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a18dd436-9638-4573-96a3-6a81785cece0,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e206dc3-4ef9-43be-a856-19d541085fc2,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,929fbd13-5c76-496e-bab5-67db856f3f42,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5bd7dfe-ceee-4491-b2d0-0cad3b8bde71,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52e70cf7-4fd2-478b-ab8b-e21790590738,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c1daf4a-e8cb-41e0-a4fb-2d02ae9f886b,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,592c3258-30be-4fa9-8a36-45797d91dc62,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f3a64f8-f2d0-42ce-be5e-48f3a76eb7f0,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95822958-e34a-4d81-9d86-b42636a06c36,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,deea6189-4bae-4055-a571-e39076e887c5,"4/16/2021, 9:20:55.723 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb4db752-bc7a-44a2-a848-8a1a848867aa,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10171458-e743-4cfd-80c7-c742c9a8dc57,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a84b8599-8a8e-46d5-ae7e-da9cc55793cc,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\CHRIS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4568cd9b-75b8-4e29-a37a-47294e38023b,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a87080d-f922-4fda-bcb1-f43bad6ab6cd,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\SECURITY,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f99cbc4c-2d77-4df3-a95f-fa69c39034c9,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba70a2d-bfbe-4f29-b953-36ccc6a8ff55,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\JJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e601f55-f9ec-44be-ac01-83a85ce9a350,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7a21b36-488e-4f07-b052-4cca10b2c358,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1328f471-04ca-4799-b96d-0ef6a29f16e1,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ecdfee-14cc-418f-a9aa-c4b44ccd3e56,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdf8a92f-c089-4432-a6cb-5de0483e3b7e,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90d39516-26f9-4098-af84-b01950a1ca69,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef3edf3-1d5e-4a5d-a7b5-5152b38f7549,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec1b74e-17e3-4913-b58d-e2c1580fa8a7,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ab3a174-f245-4e54-865a-2a845f72676e,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa5f50db-f638-4ed6-8837-ea292f73d6a2,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60bd652c-bfc7-4ac1-9f0f-cd7632bd36a6,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eead84f-b121-4531-af31-7199c381bfa0,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbdf2c90-baef-4711-8f66-1d225d201de1,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c05ab43-71a3-4973-a0b9-c2d50b70763c,"4/16/2021, 9:27:21.152 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,377247c5-fc18-4457-99bf-41245b3c263d,"4/16/2021, 9:27:21.152 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3212 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,406e324d-bc2c-4faa-afa3-fd53720e7be9,"4/16/2021, 9:27:21.152 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6752 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d528969-e394-4079-8131-eede3a038e0b,"4/16/2021, 9:27:21.152 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3678371b-168f-4196-8a6e-da728a21922b,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e71220-d4de-498d-ad61-844ffcc68694,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c88f909d-a0f4-41c0-92be-4e1c18afb237,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a68a5990-ea1c-439a-903f-3e7883696ab9,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0729c130-54e3-487d-8101-2bbd50dd991d,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b23c987-7423-402b-96c8-0fd59d89af64,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0d35b9-df1c-411f-9490-7b5896aa5bc8,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec089bd9-deaa-4660-b033-c181e7117c79,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d4106d-f8d8-4656-9842-1c29c08a6ce4,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0b207ed-9ad8-409d-87fd-2d1d94887c54,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f00d68e0-39ae-492c-af71-e096f4676ea1,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,080e6e07-8fcf-43b1-9fe0-2509894d37a5,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63ca5565-d591-4bf1-b345-4cf96d44559f,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7af80eb8-948d-410a-b281-0d535fef5caf,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff32ea37-c46b-4aa7-94db-64b99a2f7ab7,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38235f00-0152-4df2-ba33-125f886f088d,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,908ba274-d612-401b-9431-8f891ab7a927,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dda9f06-5730-4868-b32c-e1c8dd370cac,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b86ae05f-1ce7-495c-a1ca-209cffe23fdb,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d07f04b-03c7-4c0d-a7cd-e5e01febbca3,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa838a5b-1b31-466d-83ad-03eaa34e51f4,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab5ee819-f85a-4b9d-aab5-70bea757f5dc,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf83348-3f6d-4eb9-855c-fb49ea341d02,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d03facaf-0bd1-4eb5-a819-9f23f9cdb2f6,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85b4fdbd-6297-43ac-9523-13e1efabc679,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31b17381-9cc9-4b7b-b7bc-ec1fc5dc0b07,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbe5093e-0a47-4c29-aee2-e7f2a998e24f,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,408867fc-70ed-4387-80b7-7db2c88f3ab0,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e860d3d8-f876-4f69-809a-91ee360da2ce,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c727065a-75f9-4ced-8010-9413941ab423,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d69e4b5-4c63-468d-ba05-83ac1aa2333b,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a0f93d0-b08d-4a24-8f5d-34c25ee73c11,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fbec15f-61e0-4c8a-88da-2dc1cac18640,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\JOKER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0f33521-411c-45a4-bcd7-40c8359e8e33,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa6fdde4-b5e8-4f0e-8723-54d041510f99,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffd1329f-b285-4280-a9b9-3147ca05fc2c,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\SQLSERVICE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29861c41-c580-42b1-9c89-142f4336ba64,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f29a2cc4-97cf-4dd1-a929-e5779c02776d,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b72a22f0-3da8-40f4-94be-5dccdd5fd9f8,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c081d23-b7d7-4053-8021-ff81e2c5304d,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4758f83c-3a94-443b-a0bc-885dbc88e500,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,759a5dce-c36a-4a6a-8594-608820a6ee93,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc28ab5d-5343-42db-bdd0-d15b08997717,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c0b554c-0453-4f99-a6de-cf2bb1017cc4,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36316e0e-1015-402d-961c-5238f977c41e,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6656ec6-31dd-4245-8319-3658c6a3efc6,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4b16068-ea26-4e08-9b6f-eff6f4e34b98,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ee63892-105d-425f-9c7a-bac85b993644,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\TEST3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67c88dc6-a9a8-4625-aecf-b7bad61b1c92,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f214b44a-9ae3-43ba-84a0-941a52383f21,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46d4e6ea-ae1d-4750-9392-93e080f0ef4e,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\STOMPYSTEVE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c0deae8-d951-41c3-b7e4-099375d00b88,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2887dc84-8b7c-44d8-985a-934c6885d2d7,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2576 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,61641557-bad7-4477-b5b7-455560445897,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,05c0cc7e-2eb3-48a1-90c3-2273faec307b,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12772 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,18fed45a-7a7e-4eab-ac4b-790c40a0bedf,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,07952245-8247-45c5-8d08-22d2203074cc,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6336 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,064a0d33-e648-45c3-9e34-2328153d0df5,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10492 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,7736b92a-905d-4ee4-8730-e56260459427,"4/16/2021, 9:28:49.420 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,186b98b2-5c7a-41d7-acad-6a22171dc3e4,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10415b9a-5d7b-4098-bf09-6ee6821ca71c,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a857b92-80af-4ccf-9c96-88eca7cbe154,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27910d8f-d3d9-4844-9620-e1bfb1ce5181,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d133cbd8-4e17-42f2-8152-25638ce3754b,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,666e7394-573f-4cce-ad1c-889ab9cad8ed,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c8c0ecb-04fb-45e0-88a6-3d3517b025a6,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fbc264b-7a64-42be-b52a-96ad039216dc,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ca1bef6-d8ba-4ba9-953d-ba92aee8c982,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15cc4985-39ca-466d-bd2c-8a58eb957868,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8560bbe-2d5c-4595-8d52-0f4b396a147a,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fca8ec70-083b-4f6b-b234-7f52300fb830,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b522af9-d730-4c1f-b328-98e01bdb4b99,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9717052-e0f8-4c5f-8816-b3c6e77c79aa,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61b0a096-9d92-435c-8361-4dc5265545de,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c4710db-94d6-45e5-940f-7046e7ee0616,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f75233d-f9dc-4e6a-839a-fbaebf566d69,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d70387ae-907c-40d5-93a7-a59b93781e36,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944f7bd4-861e-448d-828e-2ded5637cccc,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08b213a9-5f56-4470-8c7f-f5dda6ded2ab,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5975c529-5cd5-4fc3-9537-55e45963dfea,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28652eb3-f36b-4344-86e2-57e9cc465134,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b23e74-15f4-4940-a40d-726ff8ae3059,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,07f4b6e7-0719-4e25-8df3-7402fd28c7c6,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b173322f-bcd6-41c1-9582-ab49cbf0ea2a,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,d701ffda-3cb7-42b6-accd-8e4bcbeb9970,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8840829f-bced-4fc5-abdb-ea3167c33646,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2eefda3a-a6e2-4475-8f6e-a919621bad7d,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5f17a3fb-6b60-42f7-a1f9-8aa654518377,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6d460e2b-b764-4bca-8fce-01ff15e02c6c,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f7ba93f5-bc7b-4683-a081-4c3b585f4b6b,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9de2c752-694a-4a43-87ef-914c2d169bb8,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9d76f56-4a57-4ad0-ba41-a33ccdb8ee1b,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9de9a4b-0ca2-49f7-96d1-3824aff29f13,"4/16/2021, 9:29:16.106 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b3dc9f8-6c47-4e06-91d3-3e04be4fdcd9,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41fd5d5e-e7e5-451d-95e6-831439247c23,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9c87e7-64cc-452f-b771-16809ced1107,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af18ab81-0e79-48cf-b3a7-932c46374627,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\EYF,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36649dd8-1339-4404-9ddd-af7e36d642ef,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6431becb-062e-4316-96e7-e866b425781f,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41072343-a895-489f-a0b6-1798e89af178,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,238767e2-043c-4a8d-ba77-244c3d0f3703,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1509d6f8-bfb0-47d6-8f1e-ed97196f0846,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1447ec71-935a-4477-ad7a-ad24e2cca1db,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb3c1893-76e1-4db8-b7bf-5446df1b930c,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f4a1eed-3451-4488-9ddf-df8de70e9087,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a17e6ac2-33ea-4b42-b1bf-2bf80fce78f1,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\TESTUSER1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70037179-ec76-4826-8b7b-e682bad2b1f4,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee3e829b-8c10-4506-8ae8-5b465d27ee82,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6fe0c0c-00bb-4475-824d-56a585f8d0fe,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b07fc3e4-79e6-4898-9c19-e210fe177752,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f4a2708-713f-401a-bfb1-8d74c830c1ce,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c94ad00-08ee-40d0-9ed1-3e32063fe9ab,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,806d367e-eb34-494d-86aa-751b8eb0503b,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cff3d1e9-7017-443f-a5a4-3a1c5ca4f09c,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd12b61f-1dd6-453e-b17b-33e50f26f7e8,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 13724 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 4907DF27D7E70A824E8BD9BCDF3B222C3D8FB687A9986541432520AE204173FE + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1049 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,11e77326-5cc6-40d9-916a-1d2ec62f42ef,"4/16/2021, 9:29:30.876 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 13456 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,40b72e3c-9c24-4d92-add0-6ef9fdc7633f,"4/16/2021, 9:29:30.876 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1012935d-728a-403c-b095-2a7b3fbe2258,"4/16/2021, 9:29:30.876 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f756de01-8b02-4f49-853e-73208e3ae632,"4/16/2021, 9:29:30.876 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,8bed84e5-6ccd-4d6d-b836-f8fd6194f7a1,"4/16/2021, 9:29:30.876 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80be7a54-8d7a-4920-9f94-b691bc37c174,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4b78a23-6f9e-4d73-829d-1d21455bb6a8,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9faa1d22-3ad0-4354-b038-f197d9376a84,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f47f4f6-6b55-460b-9479-e5ea4039331b,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0967ddec-b475-4b82-938c-3d942fcd7523,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b34ebda-0949-4c5c-8ca1-d747db2d1b78,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1731f6f6-7640-47a9-8306-cd6c617d5965,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f53ff7a4-f0f8-4d72-b6c5-8c06ed1fcdfe,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b0150a-67bc-455e-9d0b-dca38dc0e411,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f7fddf-e21d-4076-a79c-ebfe894ca948,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda498ff-7a97-41e9-ada4-641d54c917ff,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b726085d-cb69-4aa5-bd1b-4fde354f37ef,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,3b0fb28e-1b0b-4f19-bf5f-9e5c44463779,"4/16/2021, 9:29:36.137 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,397b09e9-9bd7-4fb2-be98-a68a4f5ca8f8,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be5766bc-1aee-42f4-aca2-a7609949eddf,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7d6f8bd-fcb6-455c-a5f8-12b76571eee8,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aff446f2-a230-4f03-a086-d81a4d9ac07d,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28fab94-5579-442f-936f-004c17d0e939,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a13a15d-8091-4fe0-98fb-b20ab5b31250,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f09c95-142e-4aba-81b0-c02644929342,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e7a36cf-6dfd-4913-8c41-c7a195a93427,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbab25f1-0379-42f1-9727-24ced1884e2d,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31a57c16-9656-4135-b327-894b9924ca66,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a4d3f4d-e1f2-40f6-8961-8e1c2c34b157,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdaac4fc-8c05-4cfa-bdec-54da2de02cca,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a2cc78f-20ee-4cf1-a201-448b3aed7cff,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53d87ddc-be2d-49b2-89e8-ee416dfb92ed,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,376549c5-d05a-461c-8e3a-19897aa7ba80,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca2f950c-302e-4fe5-b36b-72c410ee56e3,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15be7f46-ecfa-44f6-90ab-f3cf588a81aa,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2624b8e3-e706-48a5-b6c6-fe834c6eb364,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33a1bec-48a6-4e24-be97-23174edc0383,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0c211ae-c1b7-48ee-a666-b9d4098e6488,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae85cb40-2fa2-40eb-a289-e2da415e8f8e,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bfb1ccc-b7f4-42e7-840f-03cd737593b8,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6e0e794-46b9-4b63-befd-45109a3d2d1e,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a32927a9-77d3-4ecf-b463-b1075b602ca4,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59ab155-78f6-41c7-bd0e-f32225180277,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a21d7e4a-0a1f-489d-83e8-a200075e799c,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2743d6c3-5174-4244-a793-04aa2e1b7e81,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fd05fb-5785-46b5-9c78-81b7a5797143,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73ca37da-a612-43b9-80a6-fb8fa803da4c,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64261849-366b-43fa-b446-70fafc4a046e,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b3b7af6-88f4-4df3-a6ce-66ad344e3fd1,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5922d5a8-a71c-4157-b555-d3b97092350b,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01aea61c-78ef-449b-8b1d-e9497be39aa2,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd526568-62ab-4a5e-b973-5500ed84d215,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb8fdc5a-18aa-4231-924a-c6779d1d70fb,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10b151c0-ea87-481a-9642-796b7d236d3b,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34c3780d-88e7-47d9-8f65-ed503d8c83e9,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b56145f6-2564-4a8f-9d94-1c4615ae054b,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8bbeee5-b1fa-47cd-a993-1379303a2453,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,063b6145-aa30-45ba-94b5-a5a2835ca120,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d749f16-2890-4162-8f73-cba4af484778,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c54d103c-eb45-46fe-ab96-71b436dc3822,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cd3cae5-3acf-4b74-a4c4-45da5d600d3b,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c29976d7-0360-4298-9bc1-cfbd90812f36,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\ALAMB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02ff41a9-6edd-4e82-9533-c49d6f6803a9,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97a9352d-1df8-45fb-87a0-7e96f8648252,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a926b7f7-f555-4f33-b645-1e5fb1841e0b,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38d9240a-515a-405c-ad47-3854363941c9,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3910961-8865-4688-b5f6-3e4a3cf34fef,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a35f881c-9a77-4e7b-a843-120f501e835b,"4/16/2021, 9:30:02.771 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c44fc5e0-9235-486f-8f6b-abd8f9d79f9f,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6622ac9-da61-4553-b2fe-e9d38ff052d5,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b90b793-a581-492b-9dcb-0c85d2671ddf,"4/16/2021, 9:30:02.771 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94902f0f-c1ae-4454-9ca6-8a6c3dba251d,"4/16/2021, 9:30:02.771 AM",,,,,,, +\KASSA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,723a252a-cd99-438b-9f61-26dad5ca960e,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16a535ef-8354-4ce3-948b-913ec801e437,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9d7744d-46fb-4a5a-8514-ea4a429e2732,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96edb98b-41b8-47c6-a62d-d49b216c3aad,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3098713a-6c19-454b-9e7d-ebf4e8d0587d,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c10d8e35-dac4-44fb-9737-b9992a10dbae,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46afb60f-e04d-4631-bc1d-2fc697a58a2f,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa7a5266-16d8-478f-8b48-b0e531eb834d,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b1e9a14-b16a-4bde-bd34-eb62977e00e2,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d7973a7-fa56-457b-b76c-a1421086c894,"4/16/2021, 9:30:02.771 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef2c974-098e-4886-a31e-64052a09cd3d,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd2e7c7-5b47-4b83-933e-4be45a673c63,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0607c3ee-614c-4606-bc0c-5fb2be1a45e8,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e513b19e-898c-43d5-bc9f-13e6d292cabd,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90f8a517-b5e4-409f-ac08-10e9cc19a04d,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bd122ca-aa48-4842-9584-f05d10e61c9e,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54183ff1-117f-4b60-8f6b-40d8a09b90dc,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5d2f16f-9b31-45bc-b6eb-6a652b319274,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c311d0aa-fc26-4578-b7bf-77218ba056bb,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b3f0daa-b865-4270-b876-56c45d967187,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bf71b28-f675-4030-a6eb-9044ae220886,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31f6c32-0019-46d8-879e-784ee68af95f,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c24a39cd-7173-4b37-8ce7-60c6b7254d56,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e29e2fef-5162-4164-b3f3-0ff91f9fe508,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\CREST HILL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,867b4ffb-1ceb-4c4d-93be-374309fac2a8,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c185d2e-0c41-4dc7-82e2-85e9d6a714dd,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04c1b898-9ffd-446a-9bf3-5f634941928d,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4d12209-3e63-47d9-997b-f6ba661122e4,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8c9b506-9937-4ce0-b99c-ca5fc79f9383,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae8e1d77-6afe-4d8e-9bef-ae42e2eee253,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76353c95-b7cb-4fd4-bb66-cf3ec6f9a26e,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2fe3a0d-d684-497e-833c-a920348da16e,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1ed07ae-e5e1-4722-bce0-6fd72ec46614,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c02c8f-5109-4085-8f3c-4fafca2dfd67,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ec3b14a-c58c-4e3a-b993-5a1ad0173949,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c4937b66-956a-4166-9d9d-62d686b639e0,"4/16/2021, 9:30:06.647 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4620 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b113dbf8-07dd-4756-90fa-d461f5f615ff,"4/16/2021, 9:30:06.647 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1140 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bdb3bcf3-9c71-4ed7-84bc-ec932b099ed4,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e34ea16-3747-4ddb-a56c-98a003afa00d,"4/16/2021, 9:30:06.647 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5144 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b5781231-ddd9-48b8-b3af-a6183c2c8690,"4/16/2021, 9:30:06.647 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c7b3d2f2-5f6a-4d98-9ef9-34c8c9e0d859,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,a525dcf8-4221-4dce-8f8b-390a7a095744,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd3ba + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,ce346c6e-b616-4947-b365-dc282dbb76c4,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1864669-413d-40c2-898a-10b9647d8569,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd40f + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,53c37fd8-1af4-4778-84dc-171b66284ead,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9150960-3d1c-4c21-8fb4-971b054a2d0e,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd41f + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,6beec2c4-175e-4b65-957e-f1bbf564a482,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,e1ae52aa-161f-407b-912c-1dc757d51a38,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd434 + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,019a4c11-b436-4055-a180-ca0d93055b2c,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,2a7f3582-511b-4b50-b040-750dea99ce4a,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,0dbc8eb5-a5d5-4ed0-a329-f9ff63cf0e02,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,c2646bde-e41f-4ee1-b5cc-29f90a5a8088,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO + 0x41fd3ba + 0x0 + - +",4799,4799 - A security-enabled local group membership was enumerated,f6638b82-98a5-4542-8bec-6bc0977f793f,4668191a-ddc7-476b-bd35-6116da85e17c,"4/16/2021, 9:30:06.647 AM",,,,,,0x0, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,eee8a3d4-a6ec-493e-96ec-b12781853dae,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8deb033-a50d-4cbe-9119-68f33d3e1d28,"4/16/2021, 9:30:06.647 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x41fd270 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,06da85ac-c06b-426d-ac8a-90a5585a2a47,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,2aab6744-c156-4973-9ee4-02c8d14ca303,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,ffc7259e-eed1-4d29-9bd2-0486d7eff1d8,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,afcafa10-9dc4-4fda-ad6f-da8f3da25de0,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,71b5756b-8a9f-4f06-94a8-d69b0d742c45,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ff29c70c-9703-4afc-9ed2-cb2530be1b7e,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3ce625ae-f164-449d-a319-7db12c2dc1df,"4/16/2021, 9:30:10.916 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x241bf090 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dc235730-08c5-4284-9e72-6a7171f248f5,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0be4bb2b-f747-402e-86d2-ee16304eaa72,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c87e85e4-a7cc-4574-962b-3e3e5d25cc07,"4/16/2021, 9:30:10.916 AM",,,,,,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73edda84-64e9-403c-bf3c-84b744035502,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d39b434e-bc3e-4d40-8f54-3023f688465b,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,551c6ef0-01d1-4775-b228-4f3d42d95039,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de7eacaf-37ad-4c2e-b890-51715a1fa59b,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,720eb0c0-9875-4521-88f7-85a91421ed06,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ada8633-873e-4d38-906e-34ae70fcd422,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad1bb554-a227-4d07-b017-13a60eecd64b,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49008419-1a25-412a-83f3-9a8165d8efbc,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a37bdb27-c921-4cca-bf53-05e6de7ef720,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a212b3c-2d1a-46d4-a73f-612409a5b075,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbe01abb-5a01-4b17-8c02-69b84fb249ee,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb0e867-7cf4-4255-857f-40eab6943b92,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53df7fb4-00b3-4492-8848-f093f95e36a8,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50c02b63-d0ee-4771-a5a9-bfa84982bd65,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98b39538-8dbc-4edf-9c34-c97cfd3d907f,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba7c8b5-ea9c-4bfd-aedb-3a5f771741a6,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd1b4893-96bf-498f-a7bd-5c92113dc94d,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18c674f-d393-4c91-bd51-cfbf564ea8f2,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,796aeb17-caf6-43b3-a912-acae0d410abb,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5925af93-5572-4d4b-b881-14c9d5a514cc,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1361b7ac-3203-4260-9d6c-f621906566b5,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,221001e8-73b2-4270-95a5-ce49d8c11ac4,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ANA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c0dc44f-cc30-4b23-9467-ee6221b27f7f,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\INTERNET,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc83453f-7132-4db7-9eb3-935ada8b72cf,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,15fd5c29-5a8c-43d3-a5d9-31d339980f84,"4/16/2021, 9:30:19.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fa109d8b-6e28-4041-8e43-1dd54110c8d5,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 212 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ee790083-3fe3-412e-9180-5e0fa3b9570e,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,071e4143-a292-4e54-b241-31aa731723af,"4/16/2021, 9:30:19.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d5cc691c-b512-48e8-b72e-482708387673,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\GUARD,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8965e8f9-2150-46e8-9c84-50caac0896a4,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8cadfe8a-0367-430b-8aa3-a08fa6f4edcd,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6ba0b10-621e-454e-b295-7ad2b26ab5dd,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,772811cf-f59e-43c1-8d1f-c3a3bd3646b4,"4/16/2021, 9:30:19.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,86f6c7d4-4039-41e6-98f5-1d06ff818a79,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4852 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1fa67fd5-1e28-4f33-9ad1-83875b08ff8c,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4060 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1e5a9bf-61c3-41b8-9ebe-5610ab092014,"4/16/2021, 9:30:19.411 AM",,,,,,, +\PRAXIS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf78993c-dd9d-497a-9036-165550d4c2a4,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af3375d6-1c74-490a-be6d-a9ca1bf67284,"4/16/2021, 9:30:19.411 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f11b248-49ac-4556-bd93-0b33771f29ba,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10b6ed06-fb88-4be0-baeb-62363c18aba5,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8f11f8-626a-499d-a34e-574323e6c9d9,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f34650d5-10ee-4e89-9869-fa302219e3ce,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\OFFICE2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ad7b1ea-f7cc-48f9-adbe-2244411e1363,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26d09fd4-d169-45aa-852e-a57ccc9bd644,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0a20ef-24d4-41e2-a34a-b4a7c1be0f66,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e933cad-5043-4ddd-b5ec-29433b6c4ff9,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,284561ef-87f4-4a81-8506-5b04b1fedc55,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65f3e2c1-cf34-461c-9708-888412627913,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5decbbb0-4aca-4395-aa9a-70ac272d7501,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37e614a5-d3c1-4df1-92a7-e701c4ec1f83,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c0cf37a-36c1-4ec1-aa9d-70cc0d71e554,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7e66444-d93f-4aec-8c10-3b02d6338c16,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70f9f3be-530f-4655-b5f8-b8f94c7338aa,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95622bef-bb20-439e-9291-7f0e29a623e9,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\FRONTDESK,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50e22f44-a327-4e36-9f06-7673fe413de6,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,202bcbf6-51a0-4f93-9d4e-7b911f5e7472,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b33f228-6250-42cb-9acd-a77657b620a8,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,918ad498-60c8-4472-ba02-450e4d93fe0e,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc728b0d-1f17-47c6-9649-18031dcde604,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25a711aa-66ce-4841-a3de-45f98cdff51d,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6368 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5d85041-5c68-4f6f-91dc-d8296729b257,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e81cb28-57a6-4151-bd9d-d385d2932886,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,567cc234-18d4-4589-bd65-7ddf7fd89754,"4/16/2021, 9:30:39.640 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4168 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b8dd2c60-25fd-4005-879f-96bc23ab91f0,"4/16/2021, 9:30:39.640 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3152 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,248dc0eb-afd5-42ee-884c-0c1322619835,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b3fc153-742b-414b-bf96-293468504803,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc0b1c15-fdb9-4ae3-89ab-e87f97bc0ab7,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7c46be3a-3ef1-4c23-acdd-c478c7dda600,"4/16/2021, 9:30:39.640 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ab8147b-6199-4884-a6dc-2778e33acd7a,"4/16/2021, 9:30:39.640 AM","%%5649 ",0x2,-,-,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11144 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5f3c5748-5274-4566-862a-914c9410e18b,"4/16/2021, 9:30:39.809 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8187b6ba-b47b-49e3-b647-fe04a11b438d,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8422c491-72db-4f92-8a1d-6b18fde0c05a,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8223193-488f-4131-9989-734c15f5908f,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\OTTIS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f18820b1-092e-4bf3-b95f-1b45bbe59a0e,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4228501f-4ae8-46b6-97ff-e720245b95cc,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83d973b2-f521-43e8-af6b-f30bb51c3da2,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea82f0da-488f-4926-b553-ec6b31463450,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a6d6ad2-87f8-4d29-8748-8309eed2caeb,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fedf49ff-bada-4682-ab6a-8010bf20bdb1,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9291cb63-a730-4668-8699-e3186d18a8e6,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\USUARIO1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9953c5c7-f553-4281-92a0-b7e86dbdf7be,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71942d38-b363-43f4-9e17-abc18a3bf4dd,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fbf8b22-dd0b-4b64-8272-64e4f35a636f,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2bbdc78-be2b-4485-9383-d2ecf2a3c306,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ffee648-43b3-4019-afb6-04b205a4fe77,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be3432fe-6f55-4513-b141-c7fdc91b6ddb,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e84073d-339e-4d92-93cf-0d466f6529ea,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3a5c0ab-ec85-4217-bfb7-5e367df65e6f,"4/16/2021, 9:30:56.757 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d718c342-0be4-4cc6-a6b3-26a2f2e3051b,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01a9675f-7497-4f30-bd56-ce2c3532708c,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b35c2a8f-71b4-493b-a3e5-170681be55b5,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68cd3806-93af-44cd-92c2-b2e3b43b816c,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,654c5be9-b6f2-487b-9ba5-c3ea7a5ab72e,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c066c4ce-c34b-4c9f-a57d-d14f0de73cec,"4/16/2021, 9:31:03.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,872aa609-c8b9-4c16-a3fb-8e5878e9bbc1,"4/16/2021, 9:31:03.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,44e7610a-2567-444d-a039-b97f8eafe059,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eb989e40-3d9b-4afc-bc18-0cf457ff396d,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dbf35d01-5d83-4c57-aee5-52ee17b3ef32,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,37183ea9-0166-442e-b9e7-1a67047187af,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1d5094b4-d19f-4492-aa4c-7224ccc12c75,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f1e1c408-3c18-4fd1-8ce2-9e9e7f3ae672,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b526773c-c205-412b-856f-da60844c4cf7,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b00f8d3a-d7fd-4af8-b66a-72a6f12294af,"4/16/2021, 9:31:03.067 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,179d6394-15bc-4965-9083-611592d7ee99,"4/16/2021, 9:31:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2e272afc-1e98-490a-b651-ad6db709e655,"4/16/2021, 9:31:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,700653ca-5c41-4296-b337-8522e133878f,"4/16/2021, 9:31:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b99b26b7-d448-4370-95a5-c57f204bd674,"4/16/2021, 9:31:09.885 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b3f12141-1382-4c11-8361-fe1dc4f9ea81,"4/16/2021, 9:31:09.885 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c9a85f1-80e3-44aa-b673-2da5f6d8a492,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cb9770c-772b-4c57-a531-f06a42a255a9,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\KEVIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a90ca108-2648-430a-8def-99a64e1b7625,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fed23cc9-36cd-4c24-951b-a4369af2f0ec,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d8cfbda-e98c-4efa-8e60-d3b7c816ce17,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdea8e84-a9bd-4894-bc0c-19258b76b0c3,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c69b3e8-8513-4b1b-a662-0d10c80b329d,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,380dd7fc-2d2d-47b6-9d62-b9279eed9280,"4/16/2021, 9:31:12.764 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9721bfe3-a0cb-41c0-a210-ae198bfdd011,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\GTTSPORTS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44ffbd49-d42f-47ea-9f43-d82bbaccf8af,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cd6fb5a-b94b-47eb-b06b-c6f6a2c1e314,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a9cdda6-00bc-4b1c-b632-434b7f728a84,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7d89c16-fd5e-491e-9243-fb421c2da3bd,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cf0be55-9c33-4897-b8f7-7788e67fd2c0,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f9e47a9-7f8a-4f8d-b8fb-1d1154eeeaab,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75dd716f-ebd0-4bb1-8858-8828dff33afa,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\ORACLE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1def9bb8-3908-4b89-9259-239a45a92e4b,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3479f164-3b9e-41f6-ab8c-c9a78f6558da,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2847ae93-be56-48a9-a38c-81f15235e959,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6e06398-8ae2-466c-850a-00634f354aa4,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22819b57-b373-4abb-8cb4-588f84f0b723,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,769acfda-a22d-4985-b94e-6bedce4d378d,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b9791f-e721-4277-8b07-9d871d21333b,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66c2833d-35d7-4e83-bbf7-3e109cf7028d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9c374b3-01f0-46ee-b093-a7be66364614,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12771a9-3d89-4920-b011-78dba77708c2,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0feffd19-1957-4774-b2fe-9d4e8446f1b2,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,349822d7-544a-4729-b934-d43caa72aff9,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,395f5445-d0ed-4d63-b36d-822ba5931ce0,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30193c0f-354e-4996-8324-5a090ca7632d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67234858-5301-414a-943c-46ad46dcfbd4,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c12ec80-3717-477e-b7c6-f8677ff3d53e,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2453ccb9-b589-40b8-8200-51f293dffff9,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac96ff6-f4aa-4fa8-9544-19e8dedd3464,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd91376a-e89b-44af-9538-c9c00405439c,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4896aad3-838e-4bc6-9a12-f832593aa650,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd077f3f-682f-4f6a-9ba5-0aecb299e363,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce715a6e-6d68-42d6-a4c7-2d8dffc43e2d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80dff4d-972e-49a8-ac3d-a3b0a23e286d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d4d9357-8a72-48eb-9148-0ccc8f63ac18,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4d824d-8def-4c1f-825a-5eb6bb591d53,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcd6cfe-84c6-4b2e-9965-aea2883a1b66,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ab828af-5f16-4ed4-8b11-facf444df0dd,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82dcc8c-608c-47ab-80dc-d3ee42fba129,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2f49cfc-5bc8-4c02-9b91-0b1b4bae4231,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\RDP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c79bd74-aa97-49c2-a04b-45b5bc22e64f,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14edbecb-acfb-4090-85a1-37328ca3bf6f,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,428212a3-2595-43d1-9c37-1277047a2c66,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e7c633b5-7c21-4fa6-b20e-cd4e881f1a69,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2716 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a7ace934-1342-4e52-94b9-ae46f5d32bce,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a3bd912-14fb-4553-89c5-0bd691ef2d6a,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,02d8139e-2051-4f4d-aea2-a28afdd4141e,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4076a238-f6de-4a94-b5bc-e04457f51d24,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b82cbea4-3ddd-4989-8750-80c5dac8b70e,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9624 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d1a98f1-f103-44c4-8a9e-e34d50cbec48,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,358e54fa-0966-482c-a3e3-94c83b09a552,"4/16/2021, 9:31:26.645 AM",,,,,,, +\TEST123,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a6baf04d-621b-496a-b489-9307cc9fe0e7,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93bd61b5-9d6d-48db-9eba-9936536439e3,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a01c05c-df64-4551-ba7d-50e56cf72486,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3232acae-05ee-4b20-bc0a-7b00bec3167f,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1ce02923-87a3-4f81-862d-812b4d462d6a,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\TESTING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,15f7a2ad-6564-4dd2-87d6-5a6834f3ed1c,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9df4e6c3-80c2-4746-8e26-d602d46b1096,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c280147-3467-4552-b6da-7822679e7f33,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6120 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,20257f29-e759-4017-8049-595c7070b259,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4416 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0081ca02-2329-4bb5-a517-dc913addc68d,"4/16/2021, 9:31:26.412 AM",,,,,,, +\UTENTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,670e8be6-6deb-42ef-946c-b7db535f3abf,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8cac4724-db67-4513-87c0-80b6c2c1c428,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb1d3728-2a04-4cc9-8171-b93b257abab6,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e6a9ee6c-da47-4de0-ad61-5b3f8b29ac79,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6272 + 52 + %OSDRIVE%\WINDOWSAZURE\PACKAGES\COLLECTGUESTLOGS.EXE + 32 + 9CBE23B245E1ED128DF262318D623E57C98A79AFDD407B13BD8A2C82CA79796E + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 45 + C:\WindowsAzure\Packages\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5720bd6d-0f39-4338-b95f-6fa7c2cb4007,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1100 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6cc340e-65ca-449f-827f-fbc097a026cc,"4/16/2021, 9:31:26.412 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4c46fc24-abc9-4baa-bdec-3867b801da8c,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\ITADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dcb3ac47-b6fc-4afd-84fd-c37b382e92db,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c69f2699-8427-4cd9-838b-1d146f267ff5,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e82e235-eaa8-48c3-b576-51f39f8146fa,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6492 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\Windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76a8979e-b57a-4d69-b465-7c184ec582ba,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9658e76-d14c-4643-ba64-df9b6d3b3138,"4/16/2021, 9:31:26.412 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aae07ce-d0ca-4616-a8f5-bcb88e6e9235,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05e74777-390c-4eab-a7c8-29e4e9780f25,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,053163a0-dbcb-43d3-b912-52857c35b499,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f1d4b27-1aea-49e0-a61a-b2dd22030270,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a812768f-ef30-4664-b99f-090b3cd23215,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b9cb1fb-6693-407a-ac7c-a40f616b26ff,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ce057e-bf02-4818-9260-06a39bf8d7b9,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c4ecc85-0a16-4095-9c8a-f5916762412f,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e687b0ec-0667-4b90-b604-d1fef2236ce3,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,414aba70-74b4-4ae8-8f09-8539cfda70ae,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff54fd5a-780e-4568-9946-4a0f682d41fe,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39c27efb-e561-4abd-ad36-2972ffe6dbfb,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff95fe4f-a55a-4162-83c6-75e761346b27,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc79af41-9222-433d-8202-a316636f565e,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db730485-0594-4a6b-9e6d-accbecc6f066,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b1b260c-a31d-4b06-813f-7d39426d8809,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffee8c2d-e4b8-4e87-b5a7-ad03a04e6701,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46eaf6c6-72d2-4ae2-be85-42a9dce3fdc7,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d6c525b-f1c4-4d6e-a1b8-0eaab4c8fd8a,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd929390-b676-4945-ad98-f16b67f40907,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1482d49-bffb-4092-b0c2-165198de4b4a,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c593a2-3bae-40a2-a811-eac8c25c2f38,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7092e5bc-ab33-4a13-a316-851e46f4d75b,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3f0080e-05de-44a3-afca-2c183b66d189,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffee5728-c0cb-4918-a076-6ca17f58e5db,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2cd2e9b-68a2-45c8-b933-0fdbae616672,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a314589d-a616-4697-aa22-f2995f9e169c,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37cfa15f-c380-4fdc-8985-ad5b69f498c4,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6d3baf5-086a-42d3-9fd7-2e839bade2c6,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9f519b-f864-44ef-b374-3ec85f239f46,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2415496-c75d-4cce-bc46-466646c50aa4,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\MEDIA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e28250b-1587-486f-971b-b0f31e52ae59,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f69f862a-7b78-4d34-91c7-77c72854f908,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\LIMITED,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51c1a619-b410-4829-bca7-ac30d1fe21d6,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03099462-749e-4605-88f8-825fda0cbf32,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50858b80-5af1-499d-ba93-de1c0c06dafd,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bc2dca6-f567-4cc4-b134-8862c1ef03b1,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ee21436-384f-4e2d-926e-b752e1299e44,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f291c49-4578-4aed-9c89-126eaf25cccc,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67265a94-69b8-4b75-8b39-8ea3d382ecc9,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a142ec8-2f80-4fce-8fec-9fcc8fdc5412,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2027afc6-84c9-44b9-97bb-fbfb9256ffbb,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7fdb435-6217-4a15-a985-80ff0a14d292,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41601a5b-0108-472f-9afb-7b2a8f2da4d3,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d982e6e-d84c-483c-b1e6-d55faa982442,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94c6e589-e2a3-43e4-bac6-24a137804f06,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,533459f3-f4be-490a-a29b-2bc4a30dbe8e,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e0483df-14c4-4fd2-ab3b-8b1bd12667d8,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ae2262c-9382-4d21-9b99-870a6568aaf1,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9ad18c12-d9e5-4601-acff-f1b9cf71d156,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23ace130-6a81-4bad-9dcf-42cd7cf2e75e,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cca907c0-2c56-4a9d-ba94-79f2dab70c28,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4b71a63d-09f8-4b62-8cc2-47cda5ae7dee,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9962c5e2-e5c2-4c09-8b73-9874d8c74dc3,"4/16/2021, 9:31:36.088 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d7ed01-0f08-45f6-8076-e57299505d0e,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b16206-e8db-472b-9466-59546d7cf60d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04e74070-26db-40db-919d-0f5adbf40d03,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5135715-b11d-49f7-a5ee-09285f0eaec1,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,bebc92d9-e0d9-43c6-9b38-9bed855b8831,"4/16/2021, 9:31:38.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d5534a0-131a-4edd-ba33-eb0f453924a4,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f3a6d9d-67b1-4d83-a1da-50d79fbbae17,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c95c3aae-f4e7-4c6d-883d-bee4ed8bf5b1,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,243a5e2d-9457-4813-ad29-195e8859ca1b,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cae96ae-f74e-4471-a31c-2ed91dd80e3d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94aaef22-1693-4237-9f33-dfe41d7fe94d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9302b28-66dc-4cf6-824d-c4b2e301bff1,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,012f2c74-7c93-403f-9fe9-58f8c9bb71a9,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9688911a-214d-4867-982a-f711251d7dd0,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,771b64c6-5bf8-4d73-9809-305ac710e29d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,304aa6dd-adad-4165-9658-704b85715400,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19637028-8373-4545-8982-d9c780784343,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f29777a-31e8-43ed-a3bc-ba30c922a103,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd1376b8-60f6-4c3f-bba7-fd9c84096e23,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b5b6366-bc74-4ae7-8709-05ec7cdd5516,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3319f2-7741-440c-b78a-486692e388b9,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,282ed092-7563-40a6-97ac-7bb751f53d2a,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc9b6f40-9368-4c39-adfc-33c89b492ba9,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,409941d1-0df4-4602-9c91-b4e912a2ab4f,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f6c58ef-fdad-4c23-b9f3-047fd6fdee4e,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ac6c500-4e1f-45d3-a357-32ceba3c2764,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\OPERATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b218cfa-ece0-43dc-97e2-26b646275ac9,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5a2980d-29dc-40f3-8cbe-04ea36435479,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52fce6e9-accc-4c49-8f31-5fb339628f52,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93f294a7-882e-42d7-aaa2-53a065dc3c56,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,796f273b-cfe8-478a-a86e-c70167335710,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\XJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8efd5a3-566a-44cf-bfce-04c45c2672ab,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d89f6899-b6cd-4116-ab56-58def68b1591,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88d61b54-84a1-42ef-8f07-7741fc8491f7,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9293eb35-7edc-401b-9674-7b0c4d82104f,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55f2463e-dacb-4e72-b680-aad02cbfabeb,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,685a993f-2a40-417f-855a-72d1f926af72,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027ce62d-e630-4978-a89d-f82f059ed349,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c84b505c-b590-4018-8a75-ce582726e2d4,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed016ea0-42f0-42b2-ae65-195124d0ade5,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\HP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1469932-ea9d-4edc-ad26-b48ae4a82330,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10a35ec9-bdb1-48cd-b1ce-cc351e8cef44,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8a7dc71-c4b5-4679-9082-22bbcdc0613a,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0971eae-873e-4436-8cfe-49433d2e0eb1,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7429ecb5-fc37-4a1b-9f47-63885130034f,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a00147f-3186-4203-bce6-82c460fcad7c,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,699012d7-082c-4afa-8880-733a92e89743,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71f30dc6-7248-4cc9-bc7d-82f512584a6a,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a90ee6-1c1b-4c73-8d14-8943ef70cf6d,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a58cc38d-35e6-4e4d-9ac1-e84a3e7621e3,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b7a5eb0-eb01-4172-b6a3-495508113118,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd8bb1cd-79ec-4a93-a65f-49e98e77988c,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3db4c08-1fb0-49c5-a1ea-8afce12ce198,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89150223-8a95-4f0c-b1f7-2ff9ea4c850d,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0457e3c0-bc90-4456-828d-35b2e7a3f38a,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f757e955-da76-4620-b95b-5ceb0bbbffd3,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d97869d-7a64-4dcd-8c0f-eac581f82d35,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b50bdc8-5293-4caf-9e44-0723b0cf347c,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38d4d35-8989-4e72-a174-5deddaf4c656,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d57a27cc-0407-44db-bb66-90038c4ea2da,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03e20a0-363d-403a-8a39-8a42ddb7b73a,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a422087-ab7d-44fd-9bb4-c10938ec7214,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84a2dc0f-73c6-4fbb-ae9b-55c9af5768b2,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a807a0ba-2832-4901-9217-8cf5c14b65aa,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7786edf9-6aa1-46ca-9711-d2ea79f29b5e,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80dce79-f4a0-4497-9084-af5c644c2e45,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,085f5875-6e4a-4c92-b86f-3a330559389f,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d702831-40e7-49e7-8ec7-ffa015cbf5e7,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2252 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0a4d5011-15e5-466a-a74f-e54c6b1174dd,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3308 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b1ce6773-3231-4ad7-a66e-a8253965e529,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b194c271-9885-4283-a90a-4cef7bc0ccd6,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf43b7e0-eea9-402a-a105-624c718d2dbf,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ce2a5b88-696d-414b-8049-c59b27e4cf0e,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b358ebe0-e900-44f2-9ba6-52b5e31a40eb,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6e566e19-b073-4eb9-9c32-a7ab3035ff98,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6168 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b2614903-c470-45e0-bd0d-83d187cb4507,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,96d12a17-8551-424b-9f66-bf4431d84a53,"4/16/2021, 9:31:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,36d5d3f2-8e4c-4b2f-9934-9859529fee3d,"4/16/2021, 9:31:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,72c3a317-6368-431d-99a9-7625d39bf4b6,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5816 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,147dd9ad-cbf0-43a1-b603-8aba41bc696a,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8784 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8b6e4198-e220-4f3a-a15b-1f6f607ce779,"4/16/2021, 9:31:50.276 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,452a38e4-78b1-4ef8-bf11-3914595bea64,"4/16/2021, 9:31:50.276 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf09aa68-65d3-4061-bbd3-3a40763efa4f,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,583b26a9-e5f1-4020-9253-b5bbf44e39b0,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dabdc879-dc1c-478b-a20c-c42276df7f0a,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaff4f30-44a0-43c5-b848-fb922cb7d808,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07cb6cf0-e5bc-4570-99ad-8c04fc8b1b6e,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,911e9804-7fd7-4391-a02a-58bf055c9889,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,082500ae-b2a8-450e-9a34-8757fd43f486,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d53b718d-a71f-4914-af28-5463569b3633,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc4c2d49-879d-4e67-bb49-78da2548dce2,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ANGELA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45e94b44-8daa-462b-834a-ed057880b222,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5918d22f-c458-4a7c-963d-2b2948970c2e,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3bb7d34-62a4-49e1-a64d-c035367ea473,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89bf7664-fe83-4e7d-9a34-ecda350b235b,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07c1959a-d0b6-42f6-98ce-2a2ec1d66a3e,"4/16/2021, 9:31:59.765 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e4e3366-b981-4251-8b67-2795085b437c,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba31972e-0d93-4444-8225-7efa406e5f9d,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8a8c1ae-b148-40b5-81a2-f42383e068f1,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b32b577-239f-4735-9f5a-7ac70a9ac982,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e52f8ff1-4522-4954-84ad-71e098c56b39,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdee2413-29dd-4b68-b4a3-3ce009c5eb6f,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bf3940c-6964-4ab2-b3ac-4d8530a7498f,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5297e9e-142e-4f9f-b419-42bff5643327,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15624397-722b-48e5-9045-b34e5f648fd9,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef5c35c-2e74-42af-8e5d-aaa485fc2d40,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,478690a4-1c96-4e6f-aac0-54f295450f6f,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66f81ef0-5db8-43b7-b811-5d54e37d3e1a,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98d0bf38-08fe-4ba9-ba5f-369e39aac48a,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c552627-238e-46c4-b6d7-06b2197d24fd,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,598162a3-0b51-4697-a3be-aed4f7a20bb5,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78a8978d-986a-46ad-b715-eda1c05309d0,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c44ef16-6a0f-44fe-a8e3-cb7005a445eb,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,482a7cc0-a18d-4fca-a79e-e99122400caa,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c15fe5e-7eee-4283-a472-ff5cf390eb76,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5628bcf2-264a-49e7-8348-338a508b1d58,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\AAA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da2e6189-154f-498a-a33d-dcc987fc52ef,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1951652-afba-4dcf-a256-604dfe2210c4,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe570712-7c6b-42a1-973f-23432ba13f6e,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d03b33f-b326-4ea8-83bf-b72636f380df,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c4d4b9f-27e3-4bea-859c-91433f9e252e,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,523bd884-93b7-4346-afbc-aedc1fc92da1,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a2c7a9-c905-42ad-b560-ee696e42b781,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37a78591-2eea-4b5b-8c3a-70363b298028,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15faef56-ec1f-423d-bec9-b46d5089204c,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea314fb6-c598-4f20-b144-43c795d89faa,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b209976-cf96-45a4-a635-1cec756b96c4,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a9c0922-bccf-4011-9417-b86faf2b3867,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9684 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4b6c3b6c-e478-4785-8080-9684d26f80e6,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15216 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,65bebe03-0280-4f81-8b64-9d9e1dca7181,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7276 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,353078e6-3b1d-4fe2-958d-cb42933ddfcd,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e1a6e82f-e99c-4f0c-af03-aa8c65d78952,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4612 + 93 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\330\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 95 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\330\pmfexe.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,de77105d-e114-4c67-b02f-e6953138400e,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5124 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a5073e4f-03d3-434b-b585-c5bfc6ff0424,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e2097b30-1439-4af0-abb4-d44ed4449119,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8ed6fd98-7ed5-4829-894e-0641ab13e183,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4660 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,18e9e419-207a-46a2-9709-4aed40124df2,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 484 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,352fc978-4317-480e-b0ea-94aaf31e8e85,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5740 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,06fda63e-2dc9-438b-904a-ebdcf78b3d1a,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3680 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,54355f9b-83e6-4efe-8c98-9afdb2e505d7,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3692 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,478c33aa-c3c2-41a9-b22b-8bc2f06ee74a,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f779de95-3363-47bc-9a4a-72fbb8e10156,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,be70600b-4173-49c6-9223-7058e77a7ca4,"4/16/2021, 9:32:05.896 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ca2e9e35-172c-4cf3-a450-1f7efb1bc08e,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cf25fca0-5fd0-482b-8130-134a8a2f6742,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1e46e04-e664-4d3f-9563-cc59ebfb66bc,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,805484fe-cc9e-4e8c-a335-1bfa807ee256,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7a78c1f5-7647-4f91-91e1-c7ee9802c382,"4/16/2021, 9:32:05.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9f70b9ee-04fe-4997-9e5b-a2b11d1c174a,"4/16/2021, 9:32:05.896 AM",,,,,,, +\CAMERAS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a9fd30a-ae63-4e57-b484-a065e51d7fce,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83fe7795-c26f-4ed9-9188-a39ece08a304,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\PONTO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3ead00cf-9863-40b3-adba-2ade1821c284,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\RDP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca46196a-060e-4d7c-9985-2643f00519d1,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\SANDRA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d72b5fb0-0d73-4d60-b085-7fab6c462e3c,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3a8c1d4b-b8f2-49e1-ab7f-63d89c6c3372,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\VIDEO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,821da723-ff73-483c-a090-7ae3763f1d11,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,dfb0b7c0-a474-456c-865d-97e03aeb3370,"4/16/2021, 9:32:08.281 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1935b4c9-a52d-411f-825b-28096773137b,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dfe1e703-838a-4fa3-8737-f6bdff67ecf6,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0e5a4eb7-1a44-4bfa-8a8a-c6123f5865f1,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0450c75a-404b-44fd-919f-76051448f127,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,68f5b5c6-b75e-45eb-b0a8-d474e5507a43,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bc7f9136-f00a-4b42-b560-8668a109f8fd,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,afd7a040-c670-414c-85b2-bc7234a9a30f,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d54eb91-ae86-4123-a501-59366e4127bc,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,796b7d9a-098d-40d9-a3c3-b3741f69c22a,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,54843e01-f736-4c58-bd24-f138fc39bf6d,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 31876 + 2021-04-14T16:00:03.789305300Z + Microsoft Software Key Storage Provider + UNKNOWN + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\bb1a46eca1f0af0f21a0f9b0c8a6d6b7_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7b6b16d-2c35-4844-9441-704c1d8074c1,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ff4177d1-5886-4d79-a9d1-6909c08055ba,"4/16/2021, 9:32:08.281 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 31876 + 2021-04-14T16:00:03.789305300Z + Microsoft Software Key Storage Provider + RSA + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7649283a-f819-4dcf-9f13-ab91ed0db273,"4/16/2021, 9:32:08.281 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 31876 + 2021-04-14T16:00:03.789305300Z + Microsoft Software Key Storage Provider + RSA + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4a1c0f92-b57a-4502-8ff8-7f4b3eb8b9a9,"4/16/2021, 9:32:08.281 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e30f133-4776-4a7d-8ee9-2492a10d2e70,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8affea-4a80-4180-80f9-cd481e32d930,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de62bdb4-3d2f-44e2-98cf-4aa08ea3f5fe,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f0cfb95-aaee-4bcf-976e-2791894e72ed,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04007b75-a668-48be-b491-bfc7129c3b03,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f42abe27-02e7-4c90-a452-5e035cd67b81,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4ee270e-55ef-4678-a6bf-9c0756fc16a1,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c04f15a-1496-48a1-9d9f-e40b455fd246,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e641d48-8ff7-403d-9229-b8e3a14b6ee8,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dd28e8d-4191-4151-87f8-4aa908257850,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033f55e7-4f1e-45aa-b591-e3d2cbe2ad9f,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9eae227d-6904-4c2a-abb2-2a499ecac3cd,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba6e268-c06f-4968-addd-afb88572230c,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98453a0d-40db-46de-aedd-803a92156668,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26d1b5b0-1323-4b9e-8f9a-00b5b43927b5,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402541a8-688c-49e6-b70e-b520be3dbacd,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3bc20dc-f2fe-4aad-8b0d-2b5aa1a253d6,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e845e757-f74d-4d9a-95c5-cca374dff87e,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4d2b9f2-b2f5-42f0-8400-ff10922f1ad9,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac45b385-933c-4243-aeb0-df813e277dd5,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed65a2bf-d9d3-4740-9e25-81a6f3098682,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8164ce3-9f04-4b23-89b8-e6bcd3f73afd,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b812219-f87b-4a2e-8f55-89ed5e837f26,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6b1fc11-674e-4cb7-9610-d3a59ce6c351,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd73d2b4-d5f4-4e7b-8d11-61780bb7ecd2,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe4e5814-16f2-437b-b130-83d97ab7f492,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3870942-a9b4-4f3e-9596-d91a6a3dca70,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dd65595-2bca-4eb4-9723-c181785ff3d7,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ROOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8206465d-8abc-49ac-a4c0-0ccb1070279b,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f347b737-366e-492f-89fb-2318ef637838,"4/16/2021, 9:32:14.753 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d380249f-bc56-4dd1-bfed-dc83ebdf3205,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e6c095a-c91f-4374-a895-1779b80aab53,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\TJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d354b25-94d8-41b0-b09e-7a07aa5b92bb,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcd3905e-4156-48dd-b7f4-a6d7fd482408,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05ab1555-267c-4e1d-a72a-93688cdf5341,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,827e4a6a-820d-4d3c-a273-63041dcbb87f,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7bcddc0-b16c-44cb-b325-52edc89099c1,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,019e986c-da8c-4c5d-868a-5bf1a4afd7b6,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd31e2ad-376d-4b03-9e77-48a410915d77,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,068edccb-ae4e-4c1a-a515-17696e469979,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67768644-d89e-4b7a-8608-f1c982173146,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1036d21b-80c7-4964-81c8-b9b14a86d80e,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd1aa0ff-ffdd-4c41-9f50-3b9bf99b4c4b,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6dc2273-45fb-4d44-a01b-bc677bdfb4fd,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ACCOUNTING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5db7e4a-dee9-4054-80c4-94881d0ade4a,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1f063f2-ea4a-48d0-a9a0-fd6e7980f86f,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42081583-a072-4314-aae0-bbc0b0267b73,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0bdce1b-60d2-46d1-a15d-44598fef6a58,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96046fab-5f6d-4a9b-917e-c8543daad79d,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a75eb1a-6eb6-4209-9af6-9a99f65ac2f2,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75030502-2d40-4d88-a98e-ca36aa555cd2,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,581ab9c2-40ee-4a85-87d8-b163e91bf879,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c70914f7-6dea-455f-9a72-a882129aed1e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d86bfb-e447-4459-b3cc-3e439efe83ee,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,984218fa-15d4-4afe-8eda-048309adf24a,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b50b4034-0063-4b44-916e-8ac8fc412915,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97dd1cac-38e7-4012-886e-7a29fe64b8c1,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e3a93fa-7fcd-461f-ae5b-baacd270efaf,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a16364c-dc34-4dcd-b89b-4f8b012b0d53,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b01527ed-3181-4d76-851b-466d3d4ed0c7,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,995402f9-8a04-488a-ba1b-2138bc8f7fb3,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,691a2178-6419-4793-b5fb-d47c3b367134,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e067ac8a-959a-4d44-a6a2-a4c9cf89f80e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,549980b7-a133-4bef-8b42-8a9928f5a7bc,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ce3f06c-4494-4e82-be07-b08f6009611d,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eb31824-f45d-4471-b354-4e9369e76af8,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,914bb242-1c28-477e-a431-e82194ccd90b,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0e0939-20b3-49d1-9559-f1a952d50c2e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e0f73dd-45f7-4b6a-902b-cdf341f7ab9d,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2b65802-2421-4f87-857a-8711637b7ed5,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a76b79b-c447-4431-b95b-224d34cba9c1,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e1877b-9187-4394-bcc4-bf141cf35484,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3b8bf4-d9da-44cc-bcc9-ffd72fba9a5e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,75f9e12f-ef3a-4dfd-a21b-9ade338f052c,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10592 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0fb417f8-0269-41f1-9b41-39c628f32daa,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6920 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1f091ddc-5a5a-44b7-bb8b-0e82b96f89ee,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11088 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,663c0bf8-21d3-4e28-bb01-7e679a2f2094,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7912 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a971b169-07dc-493e-99cf-e42fe1579f5a,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3084 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,630f0f8b-ab48-452e-97d6-be68e1e882b8,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a393ea3b-28a4-4e9c-aa4f-f426e644c02e,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,765f9f9b-c880-4e39-bea0-648e5e445875,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,34742d31-84bf-4988-a0be-2b3eaf22ae33,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1bdc30a9-8765-4879-be35-424916f8189f,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f9e66245-2f4f-4d0c-a63d-ee7d038b0551,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b751d72-b208-4e2d-9e31-ceda01b3a21d,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,fd665dbc-c674-4e1f-8ede-c978fb219610,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3902d68f-c896-4a73-a40f-96f1e7b83819,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b61b7fbb-8f97-40ee-aadd-b781020be008,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed52f7b0-c8d3-4d7a-818b-14e431559278,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5b97b0d0-ab8f-4684-963b-49a9bc5decca,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a9f8d7d-5c8e-48bf-a231-d24b96262102,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb4dc4ff-785c-43b7-911b-23634a7f397e,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2681ccb2-241d-443c-9ac2-38b101fc9c2f,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9260ccd3-4fdb-45f6-910f-a76544b82b95,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,03f31966-2475-4896-bd57-2422ff9ab79e,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5a3e3cad-cc1f-4d6a-90c4-b236fc9bdb8d,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1de8f97b-12f7-4867-bc6b-700606ff2dbd,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4335e9c-c56d-42f7-86a1-8041583d45d3,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8225c970-16dd-4d9c-9b17-97cdeca43e1c,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4783961b-4225-485d-b27e-a1f17bb4bc40,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,fdd71513-c393-4e79-9762-fb8503ae482c,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d20100ca-a316-4ae5-a165-00c5a28e6dd5,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ac5d8e5-69e9-49f6-ad18-2518b6155bd7,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4afba10e-a4cd-4d83-8eee-fc93f7bb1f88,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b358485c-fe63-4bd2-91d0-a14bafca938d,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,37cb0045-d242-4e5f-8827-031cf3f6b076,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,bdbb81c3-505f-4fd6-9ed2-0fe7396c2ad8,"4/16/2021, 9:32:21.655 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,968de064-b83c-4f49-8fba-78fc00321f52,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6457d3f2-9f47-4aa9-8d0e-8f263cc59dbc,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fcfcda53-49d5-495f-8ba0-a3b9a8a9fedc,"4/16/2021, 9:32:21.655 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14d5ebc5-0309-49fc-a3ed-c9a299d3b165,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a86cf592-d1d8-4d25-a276-4d87097b5754,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd86b90d-f3db-44aa-ac29-bba8951a887d,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66d63505-3ceb-474a-8910-7133cfaa82a4,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10ad5087-f626-44a5-8a02-507bb210b272,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7140eab-333f-4db8-bbc4-62dfc3e6db79,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe49cea2-a01d-4fac-a913-faa69da1e6f1,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de5748f-23bd-4481-aefa-31ff6561f60e,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2954b0eb-e53f-4d1c-9fc9-6202656b39df,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4e927c6-e5eb-4203-98b9-bdaa5a930321,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96fbce07-ada5-48bc-bcde-66d70ead3db2,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b70acc38-aebc-477f-9a9f-eb4c0e2f5606,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a48e551f-52b2-4bf0-a7d8-b6724e477b7b,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a069020a-eb2b-4a2f-8205-59c999509c00,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,562e7ef7-0703-4d74-8ea9-456b769ddd84,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22c014cc-3010-4fa3-b366-4fe32a706b76,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4ef70fb-e849-43f0-aef2-95ade9219b77,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2731be7-2c38-4a20-abad-fadfac4122ce,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5135f2-bdb8-45c9-b63c-53ae967d4676,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed0cfbc8-cb01-4275-b2f9-81dbfbec0be6,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77a88899-c102-4740-8871-c92840aea211,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,875d5ab2-9b6d-4c55-afb8-0c803bfcee17,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5daf8cf9-2dda-422e-b207-4cd2dbdb8db4,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2d3c732-e219-4a06-9081-3ed417176e8f,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b985337-491f-48c9-a268-a612e2bcf34e,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb58969b-8b46-44b1-90d1-3440e59e0976,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6979c82f-3d10-4757-aee4-046fadfbd81e,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e288fef-32df-4e04-8046-506ff39ffd9d,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a92c4791-0c44-41fe-8f5c-6b0bb8ce3fe2,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\MARK,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b7b1f28-5421-4c2c-bcb4-5233ce4dd291,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1d8239b-c75c-41ab-b381-663a2287cc09,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,533e35d6-657e-4bc5-b082-76663a502257,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,061a31e3-e3d7-42d5-9a54-6d9036a49b7a,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f24950c2-e818-4906-992d-6a3c2d4e8856,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,400f5166-c36b-42c2-8d27-0af0168964f7,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,150f1ca7-430e-43d1-ae83-50e39f7fe6b4,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc1034e4-1d27-4a10-8464-f711832e261d,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2362c07e-91cc-4c2e-a9a5-fcbf2a63f4d8,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cda6327-ef0d-48a3-89f6-6a052907865b,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d0ff7cb-c3a4-4270-be4a-9e7b2d10740f,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53edc279-cd46-4047-bb5b-39f557d529b8,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e368ba79-03d8-4109-9fc9-4a20f4f7f660,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b309c9f1-e565-40f7-bdc7-f8a57006ccf3,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d85ce31-10cd-48a6-844d-d6e3a125c163,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7f91311-18e3-47c5-9dab-6a824de150f4,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c07ba830-7636-4205-8922-10f92a21e9a5,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff4fe25-d011-4f6c-8c70-6bb475144722,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92e4c19f-041a-4037-a1dc-f0d933d4bc80,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26bc71dc-ba2a-456e-bed7-cf6ac5a50a02,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca7d4d6-6907-4808-9be7-699861a7e571,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,749744ca-ad3d-418d-a253-0fce3bc2a9f6,"4/16/2021, 9:32:38.145 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d548d1bc-efdb-4b63-a595-5e316d4499e9,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,423b94a4-20c9-486a-b020-326b874f1029,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0a8c363-274f-4cf9-88d1-f779d7fe7a24,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b67ed26c-73ea-400b-8086-09be6bade4c3,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,661f1330-bca7-461d-8057-4e89532d9d5f,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a76d209a-acbc-427e-8ded-3634a21745e8,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aae14c0-7842-4f6a-ab30-5529df08b925,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93498e8c-f12c-41fd-8581-8c49691dff05,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f84802d-1a0b-42cb-95de-7d04d92e9af0,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,046e0ebe-b739-44dc-bb82-f64ab4112ee3,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061967bc-79be-4fce-ad79-5042652ca83d,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7053a8c7-16b2-4f39-a4bd-4ff91bc20e69,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e06e125c-8cb9-4b2b-97f8-5dc3501d23dc,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,793b5d61-1655-4c76-a2e2-d4e43c981083,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa0d4962-81cf-4127-9c0e-18946d07d359,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a89a79a-a721-4a4c-a189-5e20cb39af89,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8febd5c-3845-4903-8fa0-3bc928295ad0,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6fc4c2-7542-47d9-b891-abecc649e5c5,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6941f787-9dbb-47a1-9e07-3777196aa731,"4/16/2021, 9:32:41.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ab133d0-fd42-4743-8a84-bb806bf2f7b4,"4/16/2021, 9:32:41.413 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12feccd4-8edb-404a-8bfa-861974eb2c66,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7868 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7640a5b1-f492-4481-81b1-74d4ce9d1462,"4/16/2021, 9:32:41.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a63f49b5-b61b-4439-b9e9-1786a0b9ec84,"4/16/2021, 9:32:41.413 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e4e9bd29-b661-468d-8e0f-593807fa2c28,"4/16/2021, 9:32:41.413 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4655114a-e2b9-425c-bb3d-580d5666050c,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\PC1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c843f36-84db-4aa1-a4b6-c7778823e7e2,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\TUSER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95b74469-7b50-4699-a218-963d58b74b13,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,276b690a-50f3-458a-8e0c-1ece9e541a53,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\OBQ,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6369cf4b-3703-42b6-9d15-6578e11a8c48,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\PRAKTIKANT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0add7c9b-842e-4e83-973b-e85aed5168de,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,29a7ad55-cfcd-474e-a4db-a9fb68c35100,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,572ddcde-f201-4398-8f24-bcea92cf2a7c,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d548b0c5-c947-40b9-974b-e91903f8aaf9,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5bc2ee50-1819-4974-945a-6cf6e4c39f4a,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,707bf8cb-1768-407c-85a9-3bf028097e2e,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5411df3d-1a9f-443b-b720-60d659a46b1f,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13a08ff6-cca2-4620-a29f-f7456f34415c,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d7a1546-3557-4f89-aebc-2cf4738a1cd8,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1c5bcdb9-f151-4b20-8d51-db684f6b6a72,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,32492ec3-3092-4322-890d-4326db7787ee,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cc26750c-0bc7-41cb-8ec6-c68f5a4e2efd,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c685d2d7-1455-4f82-8ac1-44371982930b,"4/16/2021, 9:32:43.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c39015aa-fe85-4250-b662-16afa54cdb8a,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e15d3a42-92c5-4597-84ea-7de1d10d010e,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,858b2e9b-e33b-4c92-9564-038ff43890f9,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb44c996-f4b8-4321-a9b7-ec88df56d53a,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86ddd888-46bb-4555-90a9-cb401cc16122,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35e5764f-dc12-4686-b073-65adac5b7939,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd63e633-9aba-4aca-86ef-ec0d2add5dd8,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a8ff79d-0b6d-4b70-95ac-dc53d09cf6af,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c654224b-80bd-4581-b963-a7591a574bfa,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca152ebc-106a-4ef9-8ffb-7209d9bf3d59,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,807b5781-ecd0-4a65-b97c-d4eed09fbec9,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,655e41c9-34c9-4fd2-b3a0-32a179176b8c,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c25f20b4-d135-458e-bb29-aaaafd7d24f0,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9818aaa6-c827-4b67-8c2e-18ac29b81af9,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9cb65fc-45fc-45b4-a9ea-c491142678d0,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,913f7154-319d-4c74-bd7d-c4031a95cf1f,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea69c435-49ac-40fe-a0af-00406d85cd04,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c082fa1-9c84-4bdf-ad3b-2d969dfb3da3,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6901d7c-73f2-4698-b69e-6aa2af30a2c2,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bd25b36-6563-4ef3-a0fc-b8b53cbc1620,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\TEST1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e6cef6-5e06-497d-94eb-6328e4862152,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5435434-32c5-4ffb-843d-2e28e9738464,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3070704-7ae7-4ca7-8732-2cc59c773231,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdbff877-184e-4e6f-b6a2-9cecb2c29c12,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5ebe68b-aa60-4dbe-bb9d-4139649d0e42,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,098a4ad6-b4d6-493c-9835-39d94dc984e6,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12296 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,56d1f7a3-c44e-42f2-9f33-0c876a17712d,"4/16/2021, 9:32:49.306 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,54761803-f894-4752-b579-ee33fee1ef9b,"4/16/2021, 9:32:49.306 AM",,,,,,, +\SMART,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf08a702-36de-4140-b6d3-f90554e78e9f,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,547c2049-7503-4832-aac3-b145aab10271,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fb9719f-222e-45a5-be2a-0a6ac69dc48e,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46fde760-00dd-461e-bf6e-efe2d66abdc6,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2745c0cd-6cc3-44b0-962a-ae7f0a0dfdf1,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dc24c40-b449-4601-ba48-28eedbcd7f77,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5e04ca6-5375-4363-a85f-77bb9f52c4b1,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b87fe8a0-21e2-4692-a251-2fa42d3f1470,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc48e10e-6089-4de7-9712-3c86c1900007,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfec6632-22da-44a2-9af8-71e1b12cefb5,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6e37437-a2e7-4085-89aa-68c016015237,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fb0a436-1b9e-478d-8b85-9c1d92eb15b9,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8915e87-4fb0-422c-b1f7-5b7cb952ee91,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d02b52d1-7014-42c9-99a2-d61790e73867,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\SCANUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30dd0292-1470-4e2c-a016-e7f62610bf67,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd141d91-2333-4b72-919a-f7f6648faaa6,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17731223-aa27-42c8-82c3-d6261e1842a5,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6edc385f-9e2b-440d-ba92-bc86a889d8d0,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,425a72f5-5bc7-4c2f-b186-c758c0e999c9,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d011ad8-c00f-4a96-9620-0195c2750c3a,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\STUDENT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0819979a-9602-4d66-a919-64b1bcd32141,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2f8be24-7978-4855-b69d-312200d8bb58,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6528 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1041abd1-14c2-45f3-9c84-eb4b1bd413a0,"4/16/2021, 9:32:52.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ffd4aca2-880d-421b-9188-6168d6031957,"4/16/2021, 9:32:52.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b9983c65-7beb-4be9-82b8-20822a0bf53e,"4/16/2021, 9:32:52.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,509fd3e0-8638-415f-b0d0-8c18ffdcdb22,"4/16/2021, 9:32:52.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1550df7c-cccc-413b-805d-6d4b1010dd45,"4/16/2021, 9:32:52.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d3e9e951-361b-4d13-b2ec-3eac26ee1e3d,"4/16/2021, 9:32:52.725 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da39c4e9-1014-4b3a-869f-1598b03c61c8,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f21d35-ca73-484f-bafd-9f8070c62152,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51603d9d-5dbe-47ad-9af4-31efbc9de9cf,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,107a9d13-93d5-4c2b-89c0-cd76b333b031,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,548263c5-29dd-403d-b821-61c494c566eb,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b2a09ca-e4f1-4c36-98ac-d4ec9363cdab,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6416e985-2494-42d3-a901-f826c599cb61,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8913bff2-b048-4122-8e75-aa33fba180f9,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e70a8de5-0cac-4167-a566-75e632e14da3,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd526693-56b7-444d-bc06-c3c518f930d4,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2907053c-52b8-4f5b-a6e8-e2b735d82e1a,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\CAO1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7663dbeb-0f56-484f-afb5-ce56bff34b63,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b397c615-4e64-4aac-944d-65668825dec5,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42f18832-9b6e-4087-80e4-d6421e921276,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419c751e-f332-4593-84ba-01ca77867489,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99429c33-909c-4445-82aa-a02635552b86,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3511587e-934e-4a32-96c2-492dc8460637,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\XJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44d61dbf-303c-4582-a9a9-d2ef8877227a,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59331540-8677-499a-b3a9-ba332ae9334d,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0f06be9-076d-417d-afa5-70630c2b12ac,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d5c96a-3c50-4549-9f9f-246a0390559c,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7494eea5-2d44-438d-990b-f6dd4868bbf0,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,975c13da-9de9-4d30-aecb-969894366cda,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46ab8fca-4cb7-4238-93ee-db8cc9f46081,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d28b14e-331b-47c6-89b4-a8281534331e,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5feaba14-cc03-44d6-a506-57524deb83ad,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5280 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5e05ed18-ca52-4724-b8bc-d90035146c3d,"4/16/2021, 9:32:57.019 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12872 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7f1e239f-d93b-4df4-afa2-dfa46d472a34,"4/16/2021, 9:32:57.019 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aa1adc5-b161-432f-aa2e-b34607a8f8bb,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c22eae83-d678-40e4-904d-3a3274551d23,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a7f9a5-b9f0-4f23-9edd-7dd26cb8749f,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da612b30-f0b6-4e51-b052-846305aa956e,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b2dc92-74ad-4dae-80f0-d7c41bf6134b,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fdacb34-a5f1-4db9-a32e-09648e68f26b,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ebd0f39-d29d-4269-94c1-0bc28e8f0039,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1784eeb-6dfb-4f2e-a60b-506afa219f06,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed11e6aa-313c-4c57-8446-78c7bacfb369,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61838f04-32f1-42ad-87f4-572ca9d1bedb,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,407f0c9d-9653-4ade-bcce-4ec0a43b6e87,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ce0b52-a4db-4917-8c77-b706da575a04,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4086056a-92bd-4741-8c77-b7b6f69433b7,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e568e5a9-7b6f-4d13-bb54-736bc4b0c49a,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cee93e2-d90e-4110-ae44-60498ed210e2,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb88c15f-2b47-4230-93ee-51a5cec2730c,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a0eed18-facb-43af-88cf-ed3f6b96a070,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc31c67-f6b3-4bb6-85a1-1e29c841c324,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693fc492-9687-42b3-9105-91c343376e83,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ab56ecc-71bb-48f8-b626-26aa79730002,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,175ba6a3-5321-4fcb-84ca-971a6962885e,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9228c7a2-7752-4652-814c-c58f262033f0,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9212fc98-782e-4495-b88c-107fbf033de5,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a496b6a1-0f88-46b8-b890-765f99ecfbae,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,378568ac-5a7b-4ec2-ba18-b31e23f649ee,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,852fc7d4-f6a2-4d26-97c3-290c87fb601f,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e36a08c-b736-4b33-8184-14f1023dc2cb,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e54a720-fc0f-450e-b157-aeb6e6a2c8fd,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af47d9c8-699b-41d3-a0f9-ae4d998d1c6a,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5790d879-a3b9-4c03-b169-9852c0d27be6,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abbe30d5-8594-4311-ad18-78a61c749480,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53ba4b14-dc7e-4b12-b2fb-9200d6f0c92e,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\FINANCE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae070f93-7e7b-4e71-9a65-b60ba6321f9e,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b230016d-5d31-430d-bfc3-e01b70cce792,"4/16/2021, 9:33:03.767 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cd2be89-663c-4f42-98bf-609474446f9c,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\OBQ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf57dca4-3297-415e-ba90-a24203d70a65,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32e9f9a9-5038-428a-a168-1220fff82d2a,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc5c8196-979a-4d6b-a8b6-d12144b99a98,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd85e3a5-7ffc-4b40-a19e-bdd9e79ee2b6,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46f5d283-8e90-44b7-bfec-7d5947704a2b,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,442f6080-ae6d-4195-939f-3f9925e10e08,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc77df39-2b2e-4f41-99b8-d89bf3e8f8ec,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\SERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5508f3cb-aef3-4202-a2e9-306102847724,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f25c1b9-68f5-4b88-9064-c198e4e4ca1b,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98127f55-354b-4e79-8de9-1792f68371f3,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98aa97e2-7a2f-4e18-9c25-f15d84235d24,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf843e3e-61c7-47b7-ae52-add5a6c9e0cf,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4410fcd4-7661-4c33-974a-04b979618f7b,"4/16/2021, 9:33:03.767 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10937e25-befc-465c-bb96-ad5eaa61fe3d,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05346356-4f9c-4878-a999-d47a61f1134d,"4/16/2021, 9:33:07.889 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ede273e1-6aa0-4831-802d-cf2abe5236b5,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5448 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,93973a35-3df3-43ad-8a3b-63b9ab4ce6eb,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 464 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84ba234b-9e07-4ba5-a047-058029652886,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6004 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1eb7443-b791-4674-a9c0-eeba36d42d9b,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1d90703e-59dc-4a01-b1ec-e7288ba40791,"4/16/2021, 9:33:07.889 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a82f70a9-00a6-402c-9da7-5ae7a0a81aab,"4/16/2021, 9:33:07.889 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7151750e-13cf-4d8e-9d40-16d00cd88107,"4/16/2021, 9:33:07.889 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,004a1ee9-eb36-4e4a-8db6-1dce13aec451,"4/16/2021, 9:33:07.889 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f851e50-dc07-4a69-bc1d-8bd0d1d111c1,"4/16/2021, 9:33:13.648 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5156 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5486fcd-ea4e-4ef4-95fd-cf05ec3a3cfe,"4/16/2021, 9:33:13.648 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,a25a34d2-7cc5-4be4-abf8-9673d18e88a1,"4/16/2021, 9:33:13.648 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,fdadfb24-2b09-44a3-bbcf-938de57504eb,"4/16/2021, 9:33:14.070 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,bee820ba-be3b-4833-9979-14b20d303fe4,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2302c807-5a48-46ec-a8a1-9ce824b1430d,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,50851812-849d-4fe0-afc2-69f2ab82d4c9,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9913cf1-c8d2-4618-9e71-4f294d4ac91e,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42565043-a331-4250-9bb5-fae62533c3d9,"4/16/2021, 9:33:14.070 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,6f84c799-ae56-465f-b829-0da63a27278b,"4/16/2021, 9:33:14.070 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,886e4e59-fa5a-4a34-8bc4-bb4c6878c8d0,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5e2d321d-d485-4c20-b6ba-b0a92d2b5f22,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x88fc + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,e61b9803-8bde-4568-bd43-277460efaf90,"4/16/2021, 9:33:14.070 AM",,,,,,0x88fc, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x88fc + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,9bc2aa09-18d7-48cf-a79f-e6c30a9b43e2,"4/16/2021, 9:33:14.070 AM",,,,,,0x88fc, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,50e618f5-a46a-4338-a530-1ebc74920a45,"4/16/2021, 9:33:14.070 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,29a693d0-56ef-4ea7-b1a9-bd7a1c8e5087,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,265a40b9-1012-40ce-88ba-2cd44ed4ee29,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c01c8c33-1aee-4cd3-8303-c10e949a526f,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,10a6e81c-0731-4ce6-8f26-646c3001079a,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dc229e1e-d47e-4e8c-a0f4-245bbe0f20d5,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,96c98397-6653-4f56-975a-25d5d5c7c572,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,950848de-1a19-435a-860f-7a3e76ab7712,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26b22d57-7299-45f6-8337-a0d36cb448b1,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3bc902cc-9c3f-4596-bc48-f67689d1b05b,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,563c0100-8dcb-4373-9a01-98d8a2197eab,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,782364a4-76f8-4937-ac8a-34422cf35d90,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa3c9219-0735-4519-998a-834be0aaecbf,"4/16/2021, 9:33:14.070 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b38cb1b0-eaf9-45db-8fff-553f6a943459,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0b0179-d9b8-4761-bad6-c6018fc3a9dc,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe50554e-227a-4f0f-b494-8a4a737c2c47,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc56527c-4264-4121-b32f-af5a316f757e,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,212e77e8-a4c9-4f10-8232-f81afc82f8e3,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,780ea4e3-4aba-46a2-bbcd-01059b4e35be,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,949bd9dc-dd6b-4ced-a34a-556229644f57,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b9e47a-d48e-4748-8b58-5d17fb740598,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52511c7-c7a9-4f64-9b9c-0b974d2de6cd,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dc333e6-eab8-4100-ae10-bef5e1251dec,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa8ac4fa-a6a8-4b0a-b2b2-adec12a1fc41,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,447243bf-0ea7-491c-b8a4-22e2121efdc4,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c3fd7a4-9858-413a-abec-489bf24e35a9,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d8d99b0-2aac-4690-a261-88e82867ce9b,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6842b8be-8a3a-4d76-9b91-62f68e47b090,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43c4480a-e4d5-4c1e-83e9-af9832932dff,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d57075a-5d3a-419d-88f4-ff2955c27867,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c58ff95f-e03e-49ab-95d0-20719d39cdfe,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5247afef-e586-474c-9b04-dd4b5e318bd9,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9571bb69-2ad8-4803-99e6-3704f19b7595,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c18523f2-64a0-4cc7-adde-1a0b7f6f1e8b,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64a53c5d-155d-4305-b9c8-b0de5dfa3dda,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91c064b-d00c-4776-aed2-6c2450d3d342,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d0db620-0eea-407f-800e-8ad21e38bbad,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,49c15afb-2ec0-4614-a954-f0342b22b558,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\BILLING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12b43a1b-54a4-4621-9312-f69ae53dc63d,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,766c3ce2-616d-42d3-8465-3eecf7b5a30a,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\CAP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d6cf9e0a-7153-4453-b32d-31a21789dca9,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\MAINTENANCE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,953a81fa-782e-4146-8a20-5e787f164790,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,437d051a-959e-4383-a437-dc3da9fc0892,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c056e094-61ac-4c91-a509-824b8badc995,"4/16/2021, 9:33:15.422 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a821ed7f-5107-4279-9f17-84cf297aeeb4,"4/16/2021, 9:33:15.422 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7212 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a73973c-241a-4b19-b6e6-0ac9ea642f2a,"4/16/2021, 9:33:15.422 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6180 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ba277ede-7de0-41af-960f-86dd108d02dc,"4/16/2021, 9:33:15.422 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cbe5d1f2-f329-4f17-822b-f1cd0512934a,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,397f2e93-abb7-4077-8e45-2d07e20d92e6,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5b61c7-1e8b-4c1b-b4d5-ff3aaf50bad6,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bfcc27c-ef28-44ae-8254-eeca3def2339,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,615b6455-ded3-4491-b8ec-c2e6703887b4,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc29114-384d-498f-adf8-897df68c38f3,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f7fcd3e-0f71-440e-bbcb-631d48256e93,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,294ea6ba-32e5-4bad-81df-c6e0314e5819,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9af7324-54d5-48d4-8044-17a251cf3260,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db6bad38-03cf-49c6-8d0b-caea83ee7ba7,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,887ac9c2-c5ab-4218-8f83-e1d0580839c4,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01f4dedf-fbfd-4d78-b13d-8056da42bf4f,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee5c0883-f0b3-4fd6-8b83-30c9ec8b829d,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370c4d07-fd0d-44b2-bed6-2aa21916bfd4,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b33b97d5-e165-4656-bcde-4304f530f8cf,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2375714-4bb9-4465-9396-3d3666cc822f,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb1bdc0-aa2a-4e50-9fb0-eaeab5319cc8,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b018e7fa-598c-4779-980c-a517d81dcd71,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a2da6d7-4113-45eb-9e82-6bf0c69cbdd7,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,56cc5866-9c19-4b9a-abed-2126edd991f3,"4/16/2021, 9:33:20.136 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,384283c4-3cc8-4131-85a6-c1fc4a95580b,"4/16/2021, 9:33:20.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3341a948-b4f7-4f5c-92de-e9f84c11fa1d,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bc42aeb-b985-49c8-bd99-e0210b5d593b,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 832 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c8c3bf1-c7c0-4f29-ba06-b332cc741b00,"4/16/2021, 9:33:20.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,103ddd7c-3388-499d-8666-68e96c6e11a9,"4/16/2021, 9:33:20.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7aff4b7-9175-4885-bac0-5a1fc36ff2ec,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d54df2-dac3-444c-a747-50f29a69d33c,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b8ffa50-bc29-4b2c-8bfe-be0a1cdb1d38,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2042905b-5f4b-4ea5-bf5a-706d3caca301,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6bd3290-c4e5-48f1-9b1f-7f1124ba0094,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,351f9be4-3129-48fd-9807-3a95e77a6fe8,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5d05c7e-c264-4eff-a936-f93cbeb1d09a,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a96797b-d81e-47ad-8399-036ceaa2276b,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bbbcf3e-118d-4134-b3fd-7a74690cc660,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b64918-9b77-478c-87fa-045fa932ec6a,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb859ea4-9df4-40a6-95d6-e96e0a14bf55,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d4691fe-2aa8-47d9-8605-0758607e9d10,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dce3f50-b6d1-4a52-afa9-c820571593c0,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d44fd60f-5794-42ad-b3ae-917edb800024,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0486405-78ed-4627-8055-24ea688456b6,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9936ea4-7a3d-4689-8630-a88b3a45f19e,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c5a482b-6c25-46fc-ab08-37e8d1ca7846,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59906b48-f1f0-48c0-89aa-efc8ea6c50ca,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee37d680-4fa4-4e54-8aec-9b91933a5400,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d211d1f-2af8-4df0-b284-70e12cee3dfd,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8e33719-9713-4dfd-8f38-66bd29d8f5ad,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\TJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7fb45cd-b010-4687-9d54-aed5a690d727,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bab47686-ff71-4cb6-9158-7c7cef2c8ae8,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d252097-52a9-4a17-8746-726f03e5d82c,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08bbc8be-1f3c-424d-9a7f-15e48ed163de,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e9a2c7-cd53-4df7-a63a-686c2fd29a24,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82674319-2874-41b4-8288-9272d79affe2,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dfa45d0-51cd-4ee1-8829-dc19f1e29a9c,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d893689-3ad1-446d-a365-3f3eccd2c243,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3a5f88f-00f0-419b-b13d-07509e3e7241,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b542a99-2074-49c3-8f32-957bbf22244c,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,992585ab-f5da-4f6d-971a-8ab82dc27f84,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d49e73-e45d-4969-8fa6-19ce487e4b51,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3defa3e4-8552-4c42-bad7-ba5aca18860a,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ebb9a54-b41b-49df-994b-e4bbb0cddca4,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7861719-e965-4e16-9b78-debfa4c12045,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe80037-f0c8-475b-990a-976607b4b5e5,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,7c92fa70-fd7c-4fbe-ba2a-44ff56419e18,"4/16/2021, 9:33:33.139 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a3b09c-8e74-4601-8c23-637528bf187b,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0e447a0-898b-454d-a195-94fa47cef76b,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69bbfd57-b030-446d-86b1-8ccb12216398,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2e87295-e180-4f0a-bedc-af745b7f7cf4,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22862313-8203-445c-b6db-fb96751dfd28,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4555b823-bc13-47e7-89b7-af315eb52559,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82483bee-d699-4e05-9b0a-27ecb2f71867,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c799394-d9b8-45ac-b02f-3aebaa84c946,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec911179-a25e-4d2e-9003-3dd49747221e,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf8ffe6-ff00-4814-a153-70f030d365bb,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2bca72a-201f-4636-9219-2b62ff866cef,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcda2cc9-b39d-4170-a09d-8b6ae4c713ac,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9520be3-b232-4ce1-9998-6747eafea802,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ecbc1e7-d54b-4971-abad-51c3cb68a933,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98cebf08-0483-4ed5-aff3-c4e0fa9db587,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90f16a1a-141f-4121-a490-b950c25cdae1,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c87e1d8f-5962-4c17-8e33-f944230355da,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,901ba064-c5c1-4091-af4f-1f60d48554c3,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3847e98-728f-4a7a-938b-7d48d86850fd,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d8000bc-e765-4502-b82a-31162f1d8c8d,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,843e5c0c-3700-4f23-8eca-7cc156a341d1,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480915f1-cf5d-42f7-94a9-b10e42de4081,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14e099f3-21e7-4ffc-9552-86a14f717348,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2300876-bbbb-462f-bbec-31a5933c55ff,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3176e962-5006-4e40-a7dd-bb93d4057100,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b278bdf-9013-4d76-9986-880a1c901dd6,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,249cfa6d-3782-453c-9ffc-80cddd8307a6,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9e5aeb-ed74-4a6a-b854-899d49f33c23,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe26107a-f03a-42a4-90bb-9d53a43b5483,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de2c691e-2909-483e-a48c-6b3a25214d74,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a50d355-1970-43ee-852b-14f378025ff3,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bee952c4-ba06-4113-b560-147ca4cde4b6,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,040905a8-10f2-480e-824c-8c4bf846ad1b,"4/16/2021, 9:08:13.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4384 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9f4776cd-d3e3-40e5-89f0-a639b59d0bdc,"4/16/2021, 9:08:13.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9664 + 24 + %SYSTEM32%\USOCLIENT.EXE + 32 + 3942ED22D1D683E626E94ACCD9538E1999E488EE68D1DB541B383E35E4280E84 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCLIENT\10.0.18362.1411 + 0x3e7 + 33 + C:\windows\system32\usoclient.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,40a2f6b8-509b-4277-be2f-07110859e53e,"4/16/2021, 9:08:13.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5580 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5050de5a-f5d3-466b-aae5-4de9015b4a6c,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,04e8fab1-c0de-4443-84f4-17d2570979f3,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + \Microsoft\Windows\Flighting\OneSettings\RefreshCache + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\wosc.dll,-602)</Source> <Author>$(@%systemroot%\system32\wosc.dll,-601)</Author> <Description>$(@%systemroot%\system32\wosc.dll,-603)</Description> <URI>\Microsoft\Windows\Flighting\OneSettings\RefreshCache</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;AU)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT239M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-16T09:58:46.045Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1H</RandomDelay> </TimeTrigger> <WnfStateChangeTrigger> <Enabled>true</Enabled> <StateName>7538BCA33A019502</StateName> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT5M</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <ComHandler> <ClassId>{E07647F7-AED2-48D9-9720-939BC24A8A3C}</ClassId> </ComHandler> </Actions> </Task> + 13510798882111596 + 3612 + 528 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,87f075ee-ff52-4e6b-8d6e-6db41eea21d6,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a653d5de-36ff-43b2-9e27-ba8100a0c833,"4/16/2021, 9:08:13.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,6cb56322-e35c-4a43-a948-97e86fcd8570,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3c0de5f4-d581-4fb6-9dde-be907e874e14,"4/16/2021, 9:08:13.636 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2e3231e6-9d59-414a-84bc-92570097b768,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8322ed3-5513-4979-bdb4-6cd225e9050e,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fd38a019-063e-4d0c-b5cd-ebc0e1cdf1a0,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d4746328-4a5a-4e02-ba1c-725f17b187e7,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5a7e7356-8a60-4890-808e-1b3e3ac47312,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,418d2392-6a6d-4f58-8486-879269ed69c8,"4/16/2021, 9:08:43.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,8f53b8fe-3391-4f18-8689-e601cda33c89,"4/16/2021, 9:08:43.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,21848aea-279f-46e5-9a5e-6c2ac379e4fa,"4/16/2021, 9:08:43.055 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7228 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,772e084c-a74a-4b3f-8eb1-6617349efab7,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,17d38657-9693-4b1b-97f0-ecef51bfdbb6,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 196 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1878529d-f3b5-4cb0-8100-d257fa46c78d,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11708 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3f70b3e0-b75c-4ccf-9b06-8191c94eb071,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8016 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0a06cea9-63b4-4665-a3c0-de9d5e225731,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4724 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,48a11fca-bbb0-4717-9bca-a00825035c59,"4/16/2021, 9:08:49.302 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f3dd61e6-d782-42bd-8474-a58cdb7885a7,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\PRINT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1dbdc13e-057d-4100-85a0-d3e0e3473b97,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,819675f1-2aa1-4197-9ff0-a65799fb77e5,"4/16/2021, 9:09:32.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7256 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03451957-2d52-44b6-b055-5693be634ca7,"4/16/2021, 9:09:32.408 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6cc42a7-392c-40dc-890e-f4eeae9034b9,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7192 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,92acb77c-695b-4f8a-b39c-eaace92cb887,"4/16/2021, 9:09:32.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1164 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e595fe7f-26dc-4a9e-9f54-78a943a64034,"4/16/2021, 9:09:32.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed7314df-227a-4bc5-8cde-9673db39c801,"4/16/2021, 9:09:32.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,40d93ef9-9377-4025-be22-afdb2669a4ea,"4/16/2021, 9:09:32.408 AM",,,,,,, +\SCANS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,673c6e26-c50d-4a82-8987-7ce2cf4abdfa,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4ec8c63-021b-47cf-976e-b747ed0a7fda,"4/16/2021, 9:09:32.408 AM",,,,,,, +\TEST2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0a398882-b129-41d9-ae54-9872295ab4a1,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,09a48bc1-4b3d-4cd4-9961-46377c419c41,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\SQLADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d92c3bf3-52e1-4a4f-baea-23b39fedb6f7,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6d508a5-e3e2-4aaa-9db3-bd124e41a51a,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e824db3e-32cd-47ba-aed0-15d7e50dd371,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fa0ab5-2b63-4017-97a7-1cf3e010bff2,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c594cf7-6b61-4e55-bc1d-dc4bca5a836f,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c25e028-fb2f-419d-aa08-dbc3f036fc2c,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf2193a-c32f-4a53-becc-81edcbec1120,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64b654cb-2e41-4cb0-bd90-21575935caac,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,372bb7ff-b31f-4dd4-a72c-7d99b8834900,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53b803a3-072d-473d-ba50-57626c64bd51,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cac31b27-07fb-4578-a6c1-4bede8946749,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24fce3a4-1c85-4f55-a632-9349209b897f,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3d7b91-0f97-437d-b038-2a39553e0d83,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69bfcab3-ee1f-48be-9258-2074877e422b,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f4b5575-00b6-4856-8f58-1d510596412d,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16bba3c0-77fc-4248-b335-16b97c33ceeb,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1afbe84f-c0d6-4e34-9a0b-c720847110f9,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,520d9a89-a552-4e62-acbe-93f2d72e9523,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89d6f77e-ec89-460d-ad9d-cc5870446e28,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9643d7c9-b987-48f2-8d6e-1bb757626e28,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a6133e2-83d3-41ea-aa90-7ddb765c21ed,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e086bc0f-ac5a-4707-b306-127ea2ca7aa3,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa99ced6-ec26-44cf-b848-d48a5283a88c,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0744761a-c44c-455c-896f-d442d906c963,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f8beec1-71c3-4b89-9054-5feb0b4e4248,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,45f73bb8-caea-4fa7-8c0d-158b6775aa6b,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95b47ec3-ab01-4f8f-ad7c-1e7ce343e825,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,370288bf-654a-4c6a-9970-a3f76865243f,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,636b0c77-da54-4b8e-9e03-d61c7ee1afdc,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ae909cd-be46-4c0a-a299-068d2f0aed9c,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d8518f8-7bbb-403a-969a-090b30457f93,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eb8f6071-a7fb-49f1-9fff-8053da850642,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60e64e77-c8f1-47bc-b660-6e11d116f100,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bd2dad27-31c8-4441-9e80-58b2613fce47,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,21beb027-e45a-4882-853c-310bd0733b13,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fbfca30f-175d-4dc8-8fae-3d7729496d24,"4/16/2021, 9:10:24.056 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db96574c-8fbe-4d7e-a2c8-7c5ab7a276d8,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,56a96d9c-d5b3-4689-8be1-6f5ec59a89ff,"4/16/2021, 9:10:24.128 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad7e741d-8859-4fc3-985f-bd8a85cd9901,"4/16/2021, 9:10:24.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ced41299-2c4f-4893-81b5-df2bc0802ac4,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acae88fd-9bfe-424a-963f-ef9dd77cb4b1,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4676 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fbd1dce-cf91-4de4-826d-c9203824f7a6,"4/16/2021, 9:10:24.128 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,39e19458-da0e-45a1-a5f7-9c00d3392f99,"4/16/2021, 9:10:24.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e819d3b-a296-4091-b4c1-9514737a477c,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5daa4c35-db3d-4355-807f-efc56af92449,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6812ed57-d1d4-4d9d-8ae9-f4eeb48f45c3,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944d7d6f-4f60-48df-b71d-26cd82feca44,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,547fa3db-0190-4146-b313-a90b6ae8ab78,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5400e77-8dde-4b28-a04d-bef1fb610018,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10f82f62-886e-44d3-87b1-0891f3870a4c,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95299852-bd19-4aab-b372-413ff1b6233a,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2c4d6ee-691e-4cc3-a306-f88499073bbf,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d65b94-74b0-460b-bda6-67182be64dab,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,798d901a-63cb-4642-b3cd-f5512cc6b3bf,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b8c64d-525a-46e3-8b53-ec2a1aa6cda8,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf6db27d-1bd3-40cf-b99e-5bde20960513,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19385eaf-9053-4908-9a0a-cf4bb8247307,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c211afc6-1688-400e-9725-91717772cc03,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea4ee37f-fb1d-4781-aebb-0e98518de4f2,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24b615b6-7b3d-4dd7-a863-34cf489a8e38,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41347ac4-b671-4500-99d8-14d724aa7ba5,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4680b9dd-accb-4c05-848d-651dc081420a,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42574ecd-bc4b-48f7-a7f9-83e2e5c56d33,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b056a51a-4c3e-4261-84b5-617e386a9760,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b43a8965-f5d0-437b-9f2c-74ce686a174b,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e4d0df9-054d-46f1-b769-0060609b1a10,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c0a6995-d615-4c4e-9fe7-2ba491a8a2c6,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc9bfb45-0387-4745-b760-a4be1000f226,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd29db08-d658-40af-ade5-f221500e17cd,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1931911f-6634-4fdb-bc71-8f760fcc4229,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e95c0491-dc17-4eb3-b1d7-0d00be2f8f58,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67fb8e7d-2603-49c5-95fc-2a47b35b39d1,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,849d567e-ca9a-4354-a28c-00772c0de91e,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb8414b1-eab1-4803-b4c0-23248090bd7e,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,332401b0-16dd-4561-a73b-f42f32a2473c,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f23dee2-bdc1-41cf-b784-3224f6f64ef0,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec056d4b-ff3d-404f-bb5b-275897c502b4,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9840a2bc-b3be-41b5-adff-bc5649c223e7,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,964af361-3ee3-4575-bc89-cfd8f7f25eed,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,661a857b-9621-4650-a930-b42dda156ccf,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcac89dd-4dc4-4e55-ac22-86784ba68326,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05f6f1ca-e91d-4810-b509-c911667ca4bc,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0735797d-7831-41de-a9b3-21ce305febc5,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3048c11e-f6b5-482c-bea5-34af66aa78e1,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5644bf-555b-4f5f-ab27-87c6d9f4ac67,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4bfb01e-d042-4c9e-9b45-663bf7ba7877,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34b02472-1e6d-4df3-8b6c-887620a7f160,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2b56ad9-8858-44c3-b0a2-e9e46118d133,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7993abf1-eaa8-4faa-bf97-619a180bb069,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4736467c-f086-4ec8-b1f7-9a3201cff429,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f11aa790-af77-4c78-8e18-308fd67538e8,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa576a08-53f6-4843-9e73-f43e2075024f,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78be4ee9-634e-4ec4-9e04-0eea7901bfac,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aa335b5-5274-4013-990c-6092d53bdc4b,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f22974-4588-4690-9bab-8a68eb799ca7,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ded57f1-5162-4130-82ee-16a3e13f5339,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da22ff27-0d4e-44b5-a9e5-5c585ee85966,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd6a91f4-15e0-49a7-948b-e010e0308786,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19b056fd-b3c0-4f95-85c4-5258355c74e0,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12733aac-9ed6-458f-8994-13c0cf84a742,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98a5c50c-a8f9-485d-8221-a106acbef98e,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8980885b-a2d0-4ab4-b5ba-da5d761220bb,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dcee186-acd0-46d3-aee8-7eb0f39b0475,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43df10e9-db08-4980-af46-6ac1392a6c43,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,644ee7a4-2202-480a-bba4-b09f3c8a9e2e,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7796 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D783370D0C3716126E1F2130E165DBCF9EA52A431FB5BF0AB5E3D9D3D479AC08 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.01 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9e344bf6-00f3-4ff6-ab50-2dfb4eda7737,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 14244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a87d8137-254c-4b27-bae5-d64bc3c00333,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12988 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b03f9516-c4c3-4342-bb00-9d5883cd8c76,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5068 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a212302a-bdd7-4ae7-bb9f-e563bccd3e7a,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12656 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ab653b2c-5b8a-4910-b85f-c63b699cd6f9,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6550fd15-d811-4789-b767-e7c6520f6d76,"4/16/2021, 9:11:33.999 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4088e653-9ea4-4acb-a600-5efe62a8bcc9,"4/16/2021, 9:12:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,edafa536-5a8d-4a1b-83f7-27c705e02139,"4/16/2021, 9:12:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c970927-791c-4620-900e-e2bd24bd7446,"4/16/2021, 9:12:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cfb20e38-11ca-41b0-b952-583174e34874,"4/16/2021, 9:12:09.882 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1565de65-5742-4122-a90f-d4b2536873a0,"4/16/2021, 9:12:09.882 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af13ca0f-4859-4863-afc3-7721711aaa54,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ac90e90-7045-489f-a569-e2c8b452e4fb,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0f7eda1-bf4d-40a2-8eab-cd95f77f4c75,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535406ae-d0c3-4c01-aacc-77d0ddd42982,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6d11950-e63e-451c-8e09-5ed941f1788c,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbc5cccc-959d-4337-b1f3-edefdb4bcf29,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b155dff9-e528-45de-a7d7-826dd1d72de3,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15f6490f-9df1-4f76-87be-ac55acd0781f,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d957495b-aacf-4843-9fb2-938c89103e5b,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2663d37f-1580-456d-9645-4e9750a69744,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82f1404-af2f-423d-af0b-6d8270605689,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb83ee3e-e8c6-4341-9fef-3f549d8d6bf1,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e509c4f0-83b8-4083-b4aa-edf4fe2136b9,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b77cbe1d-7f10-41ac-8aa5-a281b361bf23,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,684895ec-57b8-4825-b222-b3a1d744458f,"4/16/2021, 9:12:22.128 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1980 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7eebb1c-7ff0-40d4-937e-434dfb160ff0,"4/16/2021, 9:12:22.128 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,55da67ee-afda-419d-ac4c-25ba799c3544,"4/16/2021, 9:12:22.128 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c78cceef-e738-4579-b94c-d287a4a21b22,"4/16/2021, 9:12:22.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cb1ca08-8e3c-434c-b1e1-379cbfbacd5b,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b13d3611-f145-4b28-9bd2-ad224d57b6e3,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30057e02-40e5-436b-b96a-bb11f011a1f5,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56d8f744-c75c-4e47-88d6-f7c4f81d6b2a,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49552382-dbfd-4b5a-a221-5fe2e9dda457,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c529202a-bed6-4939-977c-0a6886ff98d4,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37998e2e-2c53-4f24-9785-2b9c716ef1e6,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa71244b-4a54-4b0c-8a23-79d38c75a80e,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,257b0917-2d32-41a6-83dd-c637483e341b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\RECEPTION,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a81c65dd-b761-4fb6-a34a-dc8257717968,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb0234f3-a6bf-4c9e-955b-c94c2e7d639b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85083bbe-af03-454a-b151-c40f5aa83b12,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1987a5c1-6cfe-4a5c-aa17-8400e7afb2a9,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8bc6acb-5cda-4c75-8154-d985291886ca,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f4acc3a-77b8-4f6d-be7e-64cc935ee609,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a56fac6-af51-489f-a412-d22d05f56cf8,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c55001f9-d306-47f7-a43e-70d80adb43cd,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66745ff7-c5f0-410f-be4d-a1a9a81eb35c,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75f553fb-1f75-4e14-bf28-e65d525e3fdf,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9424fdcb-5f38-4012-8e27-33e8c165b6d6,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6866baf1-7581-4d9f-b66f-b789aa8ef17b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dfcdf6a-8072-4f8b-94f0-46962b9de963,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3236f77-51e0-4ffd-ba04-c60b77054f3e,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\GAST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a61e6947-37dd-440a-b023-c5bf76373a94,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4048cced-6de7-4050-92ae-49b48b07be8c,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,559d5c33-f3d9-4f02-a323-b3de54b1ca5b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eca8e936-9b77-4783-bb10-8b29f1ea3dff,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,166b95d4-5d56-429a-91ad-df0e8d1e24eb,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ab8d093-8541-46cc-aeab-974c15c28688,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a80cd54-1c4e-48b2-9c97-e77c8294731f,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a964c9a-3411-4136-b225-ecb1a9ef4329,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e842399-c420-4005-ac4d-30b753a860e0,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ddbe569-88a4-474c-973c-558a241c6949,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e45b72e-ca92-48e2-90d1-78d5b96af742,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c102ab-15e7-4055-a25c-a9194f7f6a74,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09bc1bb4-e6a0-4382-8ceb-3a4852c4e5d3,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,983a0f7c-ac9b-4e13-9b61-c0939d01b177,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1a6f2d4-6e97-4485-a5e6-18edcb3f41cf,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f167b7c6-9b2d-4945-adc2-ae51431d15df,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfa4872d-777e-4198-805e-58a03e092de0,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26dc02be-a47b-4ad6-9b34-8528d0a85d81,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d451140-aa8e-44f5-961a-27883fac6030,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0de90ae7-a80b-4b86-a95d-f5917f3b7ae2,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f77063-c164-47e6-a499-3a55d2c7ddc6,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22817d6b-6dcd-4d39-9931-1016927f8055,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17ffdd71-b071-431d-b8d1-db779ded7424,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8020cef7-2b71-471f-9fd2-755a611e9927,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b6488c5-8606-4c7d-8a39-37a39a3a99cb,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67a69332-8fab-4f59-a043-9106b95886d6,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40a290ee-afef-4613-ae2a-4ef4b606a844,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d3528c-f646-4899-bb24-19d3f9517261,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f27d41e2-11c8-4de1-8b2e-0036cecbfbc4,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1d44383-768a-4c8d-8c47-f26e0986d527,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c4b892c-1900-43bc-a0c2-92bffeb9a903,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\OPERADOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d54929d-24b7-4f7a-8b99-0be8579b51f0,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,56a23765-098d-4a77-b856-1d4707324345,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\TEMPADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,feee3a59-dce5-4f49-b0e9-436cc92f350f,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\POSTMASTER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,89907111-4dfb-4789-b997-f302d4804198,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2172 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,945a6149-859b-4486-aecb-04a1c94f4b22,"4/16/2021, 9:14:06.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7343937-b9b1-4bc2-8d43-5a3385bc92a3,"4/16/2021, 9:14:06.410 AM",,,,,,, +\OVN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aea2b5f1-2a00-4c3a-bf4f-bf9fa825dbe4,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83fd83df-118e-447f-960d-2d8cdcffef1a,"4/16/2021, 9:14:06.410 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aeeacc63-2cd0-4bb5-b173-db58764d9fce,"4/16/2021, 9:14:06.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a71aa6b-f5f3-4eff-b308-38e78110c001,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(token):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,92a1ccdc-ff94-4788-b906-9efd331c061d,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(cert):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c401957-b566-444b-97da-69ff8242df32,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:target=virtualapp/didlogical + 0 + 1 + %%8100 + 0 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,14ff1282-6894-4332-aa91-e29d3181de21,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9d3202bd-32f3-447d-96f4-95afda2a1947,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(token):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f19b45e-6327-40a1-8130-1d3458040af7,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(cert):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,625df995-21ce-4e59-a440-4709a29a7655,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c84c7dc-6f19-4b3f-a5ed-e2d755cbcf0e,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ca70e36-ef4f-4130-9ec5-db8d59c15db9,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76631edb-f277-4184-87bf-a764305de86f,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc9aeb2e-61c0-41e4-afdf-09e48c793671,"4/16/2021, 9:14:06.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6768 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1f69993-8ab9-4352-ab08-d95cf313f29c,"4/16/2021, 9:14:06.410 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fdb09cb0-e1a3-4716-bbcb-367ce837d76c,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\CANON,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c04eaa7-ff76-4e69-a5b7-96325372f75c,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\VJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e538ce3c-6ce6-4806-9dff-bd47c66b5b00,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af89dbb2-adfe-4114-9ed2-87ea2f901cfa,"4/16/2021, 9:14:08.709 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d358c3ea-121a-4896-8a8e-fc0e8dc26fb3,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd011556-2fb3-452a-a6a9-964bded11389,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94e03610-e52c-4285-af3c-5f8520c9465a,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,055ffcb1-0314-4f74-8447-171daa20c6f9,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c84a112-c342-4e0b-8754-a95db3785545,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,202e086b-d84e-4fbf-aa30-6e2e2e1c438b,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d9162fd-0555-49f2-8ede-3e96f86ef004,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6832bd75-62e9-4bdb-a11e-fd413d2e4dba,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e3ffd0-8792-4d22-8ef4-884e708b3b68,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5bc64700-e85e-41ea-8549-28370cf1d071,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb44a730-283d-4461-b1b5-eada2b03a3d1,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13f9384f-8e1c-4785-84bf-427250cfa0a3,"4/16/2021, 9:14:08.709 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfdf833e-2ed2-424d-aff5-0d68b6707db8,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4e180cd-9e2d-4a41-9429-103e327e994e,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac3101e1-57b9-4cd1-8668-9eb86bb555bc,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6497b40a-8e8a-4428-ae9e-c97ca0c35390,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a21c618-fd83-45e8-aeeb-abd1512adcd7,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b37a7b97-ea7d-45d2-aec1-63f6435c8b0d,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d3cb208-f946-4501-b109-545f7e49a1ea,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,199a77ff-6874-4c18-bee0-8a5bb26018e0,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d97743a-16fb-4acb-88dd-6a4ba0bf4b64,"4/16/2021, 9:14:09.947 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,337c65a9-d629-4535-aa2a-fb291d2922e6,"4/16/2021, 9:14:09.947 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ef95c335-5c28-4194-8317-d0a5d7792ec9,"4/16/2021, 9:14:09.947 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,af6b1ef7-08ba-46eb-ab20-55d987cf06d7,"4/16/2021, 9:14:09.947 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0b698c86-a3ce-4a17-ab5e-1439e1f2baf0,"4/16/2021, 9:14:09.947 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20183f8b-3657-4a80-8491-d3e7b245b2df,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9df740c-7170-4752-8008-f22b5bebfcf6,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89363341-eeb0-4ed0-9ebb-9dfba8473adb,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a004112-5450-4c7b-874a-42c5218ba528,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc525a18-ec96-4888-8f28-e6fe0b235a41,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56128189-34c2-4d75-8bfb-9049b2110db5,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30798ef-d743-49c8-8ef7-d542bf1f3aa5,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b30b674b-e56d-44cc-a41d-90f3ddf59dcc,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de2f68f3-cc93-4334-87db-33b9b147a106,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7b6ab4a-9ae9-408f-8e53-b809af71ccb1,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f75f461-a0d1-437f-bff4-5db13aaf83d0,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e904a64a-8df0-4066-9d3b-166b934deb25,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d45f4594-658c-4d61-a217-ee251e7b978a,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0373903-8d52-4757-969e-a46c049229c0,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bae6a98-cd75-40ed-a21d-8a4be07056b3,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1fae265-e018-45b4-a210-97b024e8879b,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c715894-6f9d-4419-8c65-f2d2ddf8515e,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a5cf824-ca82-4240-a0fc-0d80b66c2734,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2352b0cb-c5d5-4b45-8e27-5be81b7e34d5,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b000757c-5d71-4970-91ce-525f35a2a8d7,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9435c12c-ee9d-4a55-845a-42095be6aa16,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552fd8ed-5cc1-4903-ab00-e374c4dcd793,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,460c9839-f9b1-4ad6-b103-15152ff1e3e2,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7da16b8-1ea1-4f48-80c5-0b8942221080,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc902188-c65c-462b-9ff1-4e842bac2aee,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d493ea9-4183-43c2-9488-2d57f4982f29,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5643385-5e46-440b-88d0-622382aa06fb,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a3ac86f-e9b0-490e-97d9-6c0b8b619d12,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5831863-e7e1-45fe-a922-0a065747dd18,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a422b3-ac99-4f2e-9da2-a19ce1b7298c,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4d514a-6be0-4668-9d51-ab9170e3cb97,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,203f7aa1-d4d0-4c18-a13f-d5e456328eb6,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,064702eb-883f-442b-8919-eb5aa780f78e,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75c3ecc2-41bd-4ed4-9fde-d887d8952f57,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96faeeda-2b90-431c-80b3-79ed94acf49d,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49728e3c-628f-4f10-8873-02be81c4e2f4,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9dc31b6-2508-4b58-bd07-0bc6e2dfa093,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b89855bd-f625-470e-900e-515e5a7a59b7,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f4901e4-1e3b-46ef-8b1a-4cb1721f272c,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5625b32-c37d-4c33-8f3f-4ea34848126f,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cb6361-6486-4da2-a44a-4d25d8c72f78,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e24d27e-b966-4b0f-bc63-41e6ae80dd27,"4/16/2021, 9:14:20.215 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,58d6335d-5175-42d6-941c-2431796087c8,"4/16/2021, 9:14:20.215 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,debca454-78d7-4d85-82e8-ca8278bedefc,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\REMOTE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00cf4b2e-b721-4150-ade3-6de115b5c47c,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13d55631-bb14-476c-ad4f-a5f0fe8b8916,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fb13602-9ded-4111-b416-846fd0acbcf0,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8420 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b33f0e-763a-458a-82ec-e26b3eb6af73,"4/16/2021, 9:14:20.215 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,575eb4e1-81e7-4788-9e35-672ce35ba959,"4/16/2021, 9:14:20.215 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65963791-fda9-4347-a126-22d2f1a4b092,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28f331f-5c5e-47bd-877e-6afa2791ca9b,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,146801fc-c32e-412d-b5bd-9ef30a8c5699,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e9880a1-21d4-4d65-b369-b5cdbefb90ae,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2909d42-7bd3-4ff7-a46d-06f23b84ca84,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ab48cc5-3d00-40b2-b1cb-669607fe385d,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\INFO2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c001b0dc-1315-49a9-af40-445c040a2f9f,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d339c131-6beb-43ee-b06e-2237518cec87,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e00d77c-1257-4e1f-83d3-d8b0e6a201d1,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c55e4931-314e-4852-9a8e-1e78a6aa6950,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef6bd00d-cfc7-4c88-adfd-49382ab31c86,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,022ec20a-b9ac-4bf4-94a4-23edde068e8d,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d7965fa-7d3b-4a78-b0e9-2b9d3e4b4b30,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,527b9027-97fe-452c-9e8d-9fb82b41d59f,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b79008be-9ea6-40cc-ba0b-c663482eb300,"4/16/2021, 9:14:33.130 AM",,,,,,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ed88ec-206e-4822-9108-21be9141f656,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,096a6993-a91d-40ae-97a5-c41ca46f5e53,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8808ac0c-1ee0-4204-9f52-4fa7c777c874,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24bdd7a4-ef0d-4b38-9ee6-eb8e70a7e4b2,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a05882a-8e86-483e-a3c3-33f17b2a3d02,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,541865dc-05f4-4165-9dff-39e416ac9fc2,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc41fa34-0adf-4b0a-b2e8-17b8e75a0150,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,707ba565-92c2-4092-9c8c-80f64699d686,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d2e4d40-2d8b-43a8-9aee-7fd61566637e,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\USER3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8d80a4d-a102-48ad-869c-6d869f1caae1,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebffa7fb-b7ae-43b8-b197-bdbb3266be96,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab5f7997-b2d9-4dd9-9640-6a3837bf443c,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4bda16d-0a3f-4918-8dcc-6c34a01da2ad,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3695acc-024a-43e9-aad1-5d822d7a872d,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b93acc9-846d-4788-91d4-57517c4d07cd,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,513bb109-ddcc-4f3c-9d24-7ab2021f295b,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,980dc98d-fcd6-4e2a-a599-6ca1f34936ce,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dd68b73-193f-43a5-aa09-b5948c2162f1,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdea8c3e-de94-46f6-afc1-3c18e3ecae5a,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3231c7db-f0ba-4327-afbc-601fc49ac2f2,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26aa5d86-6c53-4761-a063-a1950ff15c01,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1030a3d3-fdbc-49f7-92cd-339d602fc683,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c70c6174-49a1-49aa-bbb4-0fbedc5c711e,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72231977-e988-4f91-87ce-3ee5beba5f90,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\TEMP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2c2bce9-3dfe-4c22-b6f1-2b763992d80f,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce7c7e23-d07e-4847-8f05-4422082519b5,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16631159-bb7a-43f1-893d-3f33faadc6f1,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9bb2203-1a43-4690-832e-c739e4080f9c,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7390dc65-c24b-4f99-9e5d-734373038235,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,792c81f1-cd3a-45c6-8f83-a1c309defe36,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24564d0e-17ff-4fa8-bb11-4521e9c8976d,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b5527b-9a75-420c-be07-9d10d48b5027,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1d5bf885-7294-42a5-9ad5-d03cd079c091,"4/16/2021, 9:14:45.867 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5628ad1-50fa-4c56-9065-974d6ee29d5d,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b40f67d8-825c-475a-9deb-09cd5af9df81,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d02b741-11f9-495b-afa0-fdd3670a3051,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86edddd8-655a-4408-ae44-db63a46a8621,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f0f081a-c35a-47a8-aae3-b36af30f1b11,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6daf24d2-a16b-47a1-a2a5-2b76dd3f2b0f,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dea35be4-3efb-487b-899e-9655ef0ac7e6,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129d1201-bf6a-4738-bd86-83d67c35a0d7,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a673919-a400-4bd6-bbcc-0789d49c5356,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ed54343-adf5-4838-aa52-7ca6b9c6fc84,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d83cc8-abe1-4f8c-b635-5bfbe416e4c1,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abec1129-a7bc-4fd6-b904-f026f5e96012,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64512bda-ce74-4606-8a41-ab7dc8868787,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e9f581-877d-4813-a2d4-12af20b2f874,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c55bb5-55a2-4eeb-b4b5-a63d1e018dea,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e19cd82-d575-4925-96c9-a94c59b611f1,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e5eb6dc-cebd-40b9-8ef1-3d3285f1d3db,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f60768db-1001-45cc-9cfb-43f635a45a42,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e904729-5659-4a15-aa16-bbeb317d9b25,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06a080de-1c3e-4b89-a29d-aa4458f61ad7,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee8a745b-2525-49ed-83d9-9e3c352efa31,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,090b9f1b-c732-4c7e-a885-4e5429e82f45,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eed2d5b6-cd9a-4664-bf4e-8ee9aa210792,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d210780-fdab-417d-b474-f9aaf76cef48,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,246997bf-16f0-43fe-a1b1-f9e4c815bc5b,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc7f044b-3ddc-44ab-8cb8-5efcdc158650,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2604 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9b1a1a5-065c-4a9c-ad15-3b790a544efc,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac2ef537-dfc7-4424-8a92-3bf5a031e166,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10564 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bf41cb10-a831-4635-83f6-dbc0892c84b0,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9996 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,960ebbcb-e751-4288-98e2-339c56f01bdc,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8044 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,891ddce9-43fc-4f8a-8be0-129a4c22b83e,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e598d97-123e-4b4f-b8b3-c424dce783f5,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae506a47-c1bf-49b5-a69f-f78e322fbdc9,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7616 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9e4889ce-c134-44fa-a55d-b6ba77c4ccb1,"4/16/2021, 9:14:49.272 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5460 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f2419aec-d240-48fe-9a86-89631af0994c,"4/16/2021, 9:14:49.272 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d4a20a7-4535-4bcc-a005-8518d7f52217,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c433cf61-a921-4304-b890-7fddb77be458,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a4c1d53-6232-49c0-9254-876062f14c14,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b5203d-0caa-423b-bdd9-6081e6deecd8,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2588653b-a874-4b42-902c-b1e8ab149c23,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d29cc2c2-c296-499b-8150-dfb1ac9e79e1,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e1c5c9e-d28c-4274-a270-5d7fa94f17ec,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06833cc3-7256-4b7c-b4a6-0e0d19f09a8c,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,142fc2d8-d9b8-47db-9e88-a0f54893dff7,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afa37735-a62d-4c52-8fdc-630abf40a8b6,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48389e17-44e8-4986-bf7d-4a78592bc383,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,773ad2f0-ae46-4b6d-a585-7648cc2941ee,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2146d4aa-0d6f-4107-8922-332b710cbc90,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0059a97c-b831-4d21-9f1b-23692f135094,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92a31ffb-8ce3-43eb-9a19-cc0429cd2bf3,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dd494aa-5254-41aa-864f-d4bb5a1ef940,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13defcb3-0271-4df3-8081-23e3b2fccfd5,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e561220-ed7d-4ab0-b5b5-e2b307d0ea04,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af7d99ea-d855-4aac-b9b5-dade5f2bd0d1,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b237096e-70af-4940-bce0-8e909c63e943,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e25a5392-bef6-4a67-93e3-9fa639d66379,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,006f4c5f-9b6d-4744-b9e7-9ccbc6354155,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,bc4b8636-fc79-432d-a148-f9eca4dde9dc,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,bcc7eb81-fb42-468d-9474-4b508df434d7,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5840 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,243bd508-7032-4a24-9992-b982727ebd8f,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11328 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,32725abd-c64f-4d71-a441-230ecc726d59,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2096 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1812_NONE_56B727F399423259\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1812_none_56b727f399423259\TiWorker.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c53ba320-08b0-4710-9149-9963e6e005bb,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5848 + 93 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\490\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 95 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\490\pmfexe.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,752e67ed-b954-47d0-bc0a-5b78cd313748,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 544 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a9324cce-9ad7-4d2f-a4ee-a3b95074e8a3,"4/16/2021, 9:14:57.007 AM",,,,,,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38950517-2e11-44d9-867e-8d382efff749,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e99bcf1-45a3-4220-b7b6-80055c7a96be,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d29fd322-d660-474d-bd02-6b3a8f2b05d5,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7486f187-0a1f-4b9e-b53a-6f4ef88dda7e,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b820c3dd-5778-4d36-bae2-9295270436a5,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b014c78e-1cf4-4621-be50-aa47474a43e9,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04e19ea5-727d-44a8-9de9-030d16909fb9,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6084d521-931a-4300-83a3-0c9afb94e64a,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b12bf86b-f41c-4d19-81eb-c06c92693eb8,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b7ac17-3ff7-463a-ab40-59b73bc3dd0d,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8588379e-98a2-46f9-befa-e8f35fb07489,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f75dd10-9143-495c-930b-8097c5b64390,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f2601f5-f41d-4d6d-b397-0888343344b0,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1925fb4-3f3d-4180-97b7-f3e34b7b7a82,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfaef545-58b0-4102-a5d5-67ce24624391,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\VJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,927fb63e-e834-459c-bfd6-eb09c6f41ecc,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c7009c8-d907-4687-9191-262b6d315845,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,668cb099-0696-4393-b689-d3076a0db4d4,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce137959-7693-4b35-b36b-092e3f00bb0a,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f8deddb-2602-42cd-8504-17b9622a277f,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50b29359-3114-4174-a73f-9448fcf94221,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9da5ffd0-bc3a-446c-b44c-aac4e0728057,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1838179b-21a6-4dfa-8544-66f0796e9f0c,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8c5725d-8300-4594-987e-913eaa7ba17c,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,72fc2a24-0ed2-4428-9525-b24a2a791e5e,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5002cc4f-2970-4b3c-9b6b-6a2fe2539cf6,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ee4127ae-99bf-4a7e-9b2e-c4d0ab4dd16b,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9637a4e6-2df5-460a-9fe5-90199c33ea5c,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,537578ec-1080-44f2-8125-211ab0de70df,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b3ec015-e5a2-4142-9117-272c2ffd1477,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dd6fd3f5-ec35-406f-97f0-d5c10f6c2776,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9ea716e-b15e-4802-bb90-a5f9161c6b8c,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01d9c676-5fe8-47c8-82f7-9dcd238ff771,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,74affa3e-7c87-41d1-8ac1-d7df543450e5,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03a2668d-7952-4392-ae91-c8ffa971ea22,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83c663f4-c16c-4907-a973-278630cfef47,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,21e8747a-04b2-4866-90f8-7df7f275c279,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4ff8a29-b868-435e-bf08-645ee52e5f22,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53929899-8fb9-4535-b60f-e91391e2b9e6,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,849e8214-99af-4060-9ae7-ea8a8e46a460,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ea58205-3917-4e66-b546-ddf28a106d51,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,62b968b9-1bc8-4e3b-bcd2-293199469064,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e119e02d-d535-48ae-b5d3-a9f830182121,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,be96f2d6-abaa-4441-8079-3f358c9c3f54,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1d85539b-6fa4-4fb0-a71f-482c3aabb43d,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,920b9779-d442-4ead-a1b5-9a6062208fb5,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e70790d-c057-4ab1-b531-6c16076069e2,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af008f54-7520-472f-9ce3-2d8df4601091,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\CYG_SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,66d4d564-723c-45e4-a9f7-c49be37efeda,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,70c888cc-decd-48cf-998f-1eca7f39d998,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +\TRAINING1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d168b160-a6fb-4445-b37e-0ae0c8578e50,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c78dc4a-1d2b-4b0c-920c-5db54449a2e6,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bb620cc4-33d2-46ce-a954-4b5b98247dcb,"4/16/2021, 9:15:06.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,069353f1-4adf-44a8-b1f8-f23743aa6f63,"4/16/2021, 9:15:06.417 AM",,,,,,, +\JESSICA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2e977666-047b-41b5-9243-12574a788172,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 692 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93e38552-0315-4515-9e14-6db23d75411e,"4/16/2021, 9:15:06.417 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6908 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1db62746-fc12-4ed8-b2a6-02c8df69d1ee,"4/16/2021, 9:15:06.417 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ffe5aee1-4d50-4ff9-960f-b976ce9a57fb,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fc430cec-f255-4367-9301-6748e0268cc7,"4/16/2021, 9:15:09.892 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8565510f-7a2a-401d-b6e5-644f3e256a4a,"4/16/2021, 9:15:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4136 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,42bf9906-ae63-454e-8eec-dc3084364dd7,"4/16/2021, 9:15:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6640 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3dc0c43d-c19e-46fb-8996-7250c2e6eb05,"4/16/2021, 9:15:09.892 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9192c45-3a3a-4b1b-ad65-108b1b03bb26,"4/16/2021, 9:15:09.892 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f807ae1-2d22-431c-a8b7-45bcb955195a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a4f0b43-80ca-4a6b-8d8c-85038f755e8e,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d8a3a4d-415f-4b3e-a62b-a94d175e400a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7062361c-389a-4290-9bc2-4ba116c59a70,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a4791bc-d8c1-4d70-bb43-3975e3ba8b1d,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,478de325-2e37-481e-aff0-6ef982c3d3d7,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71d44552-cfb8-4820-80f1-8bafa69974d5,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b435f00e-1d76-4bc6-8761-0bf62e402331,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dbbeb55-a0da-4600-805c-74094b7c381a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35c2eca8-41d5-4445-910d-1a642b43078d,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,822569d7-a6c0-4c10-bec8-1a5381d08e6d,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\USER01,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f51ebd67-b348-4e75-b79a-d416eded8125,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76033931-0de0-4899-a8c6-e66deb5d1246,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cf2b0e1-3a91-442c-a7a0-7bc123393a8a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,492bd954-23cb-489e-ba29-e49cd4e83e43,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e4992d7-5f4a-4081-a946-7e1cc8bd4f60,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b149f78-b96e-408a-8091-c3d5f29b1dc7,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d8d59de-2689-4b54-abda-3ebe2256612e,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab42a39b-ae17-4739-b3e0-bc15a8883fb1,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f862b75-2f99-4337-ae5b-f5a6d27ba058,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,794fc106-22ac-4717-bc14-91a5b4807fd3,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abb8f771-45b8-49fd-8320-a719d970b1d9,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb2f8e00-6bfe-409c-a0f2-d1e51c76f95f,"4/16/2021, 9:15:24.609 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10796 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b428ea7d-2e23-4a8c-9944-ac17abf2a70d,"4/16/2021, 9:15:24.609 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,d66381a8-940e-42b7-8676-2c08543cb8a4,"4/16/2021, 9:15:24.609 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f518b1fa-f10c-46d3-9336-a10d65b0bd4d,"4/16/2021, 9:15:24.609 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd03830d-9fce-433c-b9bd-197a09d84881,"4/16/2021, 9:15:24.609 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10664 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,81352a72-70e5-4417-97a9-696bb1c90ae7,"4/16/2021, 9:15:24.609 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6748 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,849c1547-31dc-48f6-bc1b-4751d828c760,"4/16/2021, 9:15:24.609 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a3131519-f7c1-4846-aa67-2544a1cd26b4,"4/16/2021, 9:15:32.874 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bfee6b13-d661-47c1-a372-f810db366173,"4/16/2021, 9:15:32.874 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24199fb5 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,421b9442-783c-4b18-8f0c-8ec87a9acbdd,"4/16/2021, 9:15:32.874 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,692b52bc-3f01-43e2-9d84-1950b2e12b3e,"4/16/2021, 9:15:32.874 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3808ef6b-b7a3-47af-a785-d818c6e17f8d,"4/16/2021, 9:15:32.874 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,e62607f8-695a-4176-9a10-ec68bee64aa8,"4/16/2021, 9:15:32.874 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed177c1f-96bc-419e-8fcf-afcfc3064ac7,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17ee450f-2983-4100-8d25-579691cd8f86,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,634d32b6-67c0-40ed-b8e5-9242ff4c7b20,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f13d7576-241a-4e54-9628-925665958bbe,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e864cc2-a841-4d70-9ae4-ff1f7b6c3b2d,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25b7e999-2d15-4e8b-b34e-0c26253c790f,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,720233f9-34ec-470c-8df5-76242b8b5809,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\TESTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f445a21-7a3e-442f-a5cf-ad8a833c5ea4,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc882357-bc1a-4063-b562-2fe52aeb8eb9,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,beac9a25-8350-4f36-af51-440c487381c9,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a7a378e-0e6e-4ef3-afdc-b65499e0673c,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48f8da70-2786-423d-b616-91810ad2c90e,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84357f91-5f3d-40ec-8bd6-2b7d4233e48a,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4466a92d-954b-48ec-a2e8-638c319d6134,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\IJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efadc3bd-7cc2-4f2f-b672-03199e2fc3ae,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,401714d3-827a-4d51-914d-404bbfcbd5b5,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a34e595-bf7b-4fee-aed9-7178da16dce3,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab05451f-1115-432b-8fa8-f4ee549ab701,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,384d9cd9-95d4-49ac-84c5-dd5f7abdd922,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4f7f62d-fe90-4cc3-8d51-19f52c46889b,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6028f03-4ba6-4b7c-9d9b-16aff7ee5a78,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41d77ada-1c08-42f2-9dee-d324291925af,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2db3bc5f-856d-417e-99f1-31d98d570644,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec1fe361-ddcc-4cc7-ba7e-2ea7fd3ee4f0,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c85629a1-af4f-4396-9edd-c520c4ae87d8,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,62219800-d0be-457b-a99f-210a32a8be84,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eef18ad9-a754-4d1e-a1fb-1466bae8448e,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8d6bf39-2974-40e6-b251-c594e90c5c16,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c56583e7-4dae-40c0-9b59-86a9d58d1d14,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dbda723c-4af7-4a67-80ea-5a54e5d38cc8,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ce6e459c-2141-4c04-a385-b4cccd41b49a,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7c150bda-e9ca-43d0-9988-04e03cd7ebfd,"4/16/2021, 9:15:36.072 AM",,,,,,, +\POSTGRES,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e122b477-c343-4d31-9d13-7c45e6c0fa01,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0fe35e04-226d-42c6-91c2-3bbfa46c350f,"4/16/2021, 9:15:41.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,21ac5958-386c-4b67-a704-37d650040aa8,"4/16/2021, 9:15:41.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7b03eb5a-3034-4a7b-b894-1dcb2df77167,"4/16/2021, 9:15:41.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8040 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1024d312-e72d-42a7-ac55-1b63ec15adff,"4/16/2021, 9:15:41.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e86c3115-1c85-4d9b-a07a-4e4c9b33012f,"4/16/2021, 9:15:41.414 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af609b2c-9c04-4625-9820-de4a3d196f8b,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\INFODBA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7fa8c86e-3ef4-421b-adb1-b3b4497add0d,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c5238989-aab1-49ec-bc6a-d90aec75894f,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\PRUEBA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f59f2fab-19dc-4a06-9884-6a2adb33b39b,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7904 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2f31aeac-7946-48b0-8f86-772313828494,"4/16/2021, 9:15:41.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6697f12a-8f9c-4d6e-8ad3-1f27f45fe4c8,"4/16/2021, 9:15:41.414 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a1052f0-a934-447e-96f2-12b981537e50,"4/16/2021, 9:15:41.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2a957d0a-2cdf-42a4-8ac8-f2ed828158bd,"4/16/2021, 9:15:41.414 AM",,,,,,, +\STAGIAIRE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,19477a4d-c7ec-41d0-96e1-4b01f40d4e39,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,05157b80-257b-4307-a2b0-7f2fd686ac0e,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,238786a5-01b0-41f0-84d4-7d835032428c,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b386ebce-463a-4806-ba4d-1ec97b5ac1a6,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15edcb90-2b92-446e-8a60-faf005337609,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,978796e5-3abc-4bda-a943-50a912d62840,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f182a1-bfbb-454d-be56-16f971b94261,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8b0a164-638d-49cc-a9ae-cf02aa1d6148,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d486c8f-0660-44ee-925c-5ca906f1a55f,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f939806-75cd-4b02-95eb-217aa1c881be,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4314cb5a-1ff9-4b37-aea9-b599103a5704,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21622f51-62b8-40da-92ee-ebb79ef816e5,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34dd121f-2ede-4575-ac0f-44087b270a9b,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96a96903-247b-4453-9434-ae10e25d49b7,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a3b326e-3b9f-47bb-a88d-9c82b6e9e998,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8082d511-f629-46c5-8a9d-8b91c1edeeb1,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf1d09ad-e224-473b-9381-2a0e6214dfc4,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eda9d33-9352-47d4-8843-b9f245e28996,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,333b7723-4c88-4d8f-a5fe-87de14c52314,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc88fea-72d2-4d03-9e4d-062df8b24c20,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38a293e-d3ca-4461-b55e-e663b6ba1869,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecfd1421-0708-42b9-b037-e1290632baa8,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a13d25bd-f2ba-4b5c-8c25-2cfbf7f87ee7,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce65831b-dfc8-4f45-a415-f56a7b675745,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9965b61-b740-44a8-897e-741c9583a05b,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8824 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,02c81cbf-1fa7-4a1b-8708-c1c9ce25a0cc,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4268 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8989d5be-9b3d-4c40-a651-3c9fe7397e55,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9192 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,602a3c3d-5e32-4c7d-ac18-bc82e856d887,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5792 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cb892692-0709-466d-bb0f-cdf1cd69acdd,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1512 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c25d4a36-ed60-46b5-83a3-44dfc90994f2,"4/16/2021, 9:15:46.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 10260 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5746580c-0322-4c10-bad1-9a1eb3e5c9c9,"4/16/2021, 9:15:46.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7080 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6c3bd3f7-a8d5-4a40-99bf-60c8bb9e57b1,"4/16/2021, 9:15:46.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2672 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b1d50bdd-b530-462c-bb41-b551557ec10e,"4/16/2021, 9:15:46.999 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7997d1f-a81e-4a65-aef4-e11cffcde5c2,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18757fd3-1dce-40be-aae1-a2f453a560f5,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,147d7e68-6830-42a6-a10e-daf6d3efc464,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\SERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc1ec11-9943-4737-9dc2-947433f66504,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f03e70e0-9834-489a-b19d-4202899d8b4e,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53104bae-bebd-4406-af86-81379be61360,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,182de4f8-0512-4f95-b22d-d939d8e360b3,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d6ed301-1136-4175-906a-79211cb47439,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bd7d5ab-20b3-4f0c-94fe-e9dde15bb725,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a06dcfc5-7041-4560-846e-d9541adbd1e5,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c473a87a-3343-4ab8-a88d-249960ff6f06,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7219a6ee-4caa-455f-ba61-07da267d39ec,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c89f032e-da2e-4aae-8c26-2422a94264a2,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ba667e2-8d99-46f5-97f3-8cb6d854abe7,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bf94799-d612-453e-807a-e5cb7adf8d1f,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\PRINT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c6c8fcd-dc25-4316-b747-8800e28d36e3,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fb7bdc6-9213-4f63-b002-f88820f1c197,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c11e2cd-0d51-4062-8bfb-4cbc58e21a60,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b859e6a5-1807-40cc-be73-5293f6759318,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed6e27d-117d-4abb-8633-dbec0458fec9,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efecd885-fb0f-47c5-8d61-42e0bb14d224,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bb5aeef-ca56-4943-b6e6-56a9f0385837,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96ceec55-2291-42fb-a993-e679729c9d9d,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5b471d7-6dfe-44e2-a173-7012a950d585,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed9c5a41-fec0-4d89-927e-86f29e0cf2af,"4/16/2021, 9:16:06.713 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79322a38-ecc1-4afa-b3e9-01b9d372f661,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39f6daf1-c8d5-4747-8f3b-b4b628a707e2,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ca818da-71fb-4e97-b00a-33757b36b6c5,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ba79623-553f-4ce4-9afa-b228802ec7ba,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71f3e686-46b6-4744-8e31-0367665ceacb,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37bfb583-64e8-4c11-9272-a7998e1c2d84,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,836e7946-0914-4e21-b008-59df42533889,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\SCANS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d1a88b-5889-458a-81c1-096f9e4358e9,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06e6bb63-e024-403d-8dc7-fefb5e2603ca,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8250a30c-0e20-4c61-8196-9bc32a91a4c0,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f331026c-999e-4289-b042-38f9e03429f8,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a290b28-371f-4810-93d0-339b212bfd73,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9662ae2e-eb66-42b2-99d4-72fec05fe8d9,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f93c012-bc50-461d-81ce-276f970f613b,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd230545-3e9d-465e-860f-ea6942c1b3ca,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,868a5585-d361-4e33-91f0-16a58d02adac,"4/16/2021, 9:16:06.713 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c34703f-dfb0-44f7-b33e-8d5d13dadd09,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc6faea0-dd3e-479a-9e45-d5bc0a41fde8,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17d5756c-2cd9-4c40-8fdc-e3ee28c6c302,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0c7db31-e6b5-48aa-849c-4f2e9b52268e,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d214c18c-e3c2-47a3-8f64-b5e887eafe71,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6f542c5-7a65-431c-83c5-6982b50b8b54,"4/16/2021, 9:16:06.713 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed2eb443-9528-4e58-abe8-dd95dd62891e,"4/16/2021, 9:16:06.713 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f51886c-0900-4504-94ff-b11ecf414e56,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e5f5d040-9630-4c12-96af-c5e0052ba131,"4/16/2021, 9:16:08.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,79a87cb1-de18-4c2c-b5da-8d168c01639d,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae7b535a-b4dc-4b2a-b3e9-1e5cd8e7592e,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ccae8fe-1969-4344-9259-c9cf77523ec1,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,7e38cdb2-c6d2-45e0-92d9-db4975ee04ed,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ee05460-068e-4fca-ab4e-add9f753f989,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e6665bc6-55bb-4a36-a69f-99cff99caee1,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e949cb79-7900-4c42-8401-55ae91382a6a,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,21351daa-bee6-4516-872c-e7dcbd935cad,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,01aa5f50-c7e8-4209-a0d0-9bd8811b482e,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0fdc6de-06fa-48a3-b572-b1f7a6508378,"4/16/2021, 9:16:08.062 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01befa16-2b27-4521-bad0-2728682f269d,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\STAFF,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,444c2ab0-942f-492e-a946-2a4139bf1767,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\USER5,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca761d40-f756-4158-954a-7cf004565899,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37166b76-358b-4a2e-b890-fdc52728d1ed,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\TUSER2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6a964a0-dcf1-4402-845c-c232e6026f23,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3900 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,174ccd0b-329f-4a64-8d19-915a53c5b9d4,"4/16/2021, 9:16:13.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7c4dfe80-afb9-4d39-8d9d-9924aa36ab55,"4/16/2021, 9:16:13.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,09b2f5f1-38bf-41e1-a615-eecd6079f974,"4/16/2021, 9:16:13.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,28cba675-a875-411b-80fc-6fa3fe4d200d,"4/16/2021, 9:16:13.410 AM",,,,,,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ebb2be3-85a3-40bc-9f57-27bfeb8cd4eb,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ab14939-a17d-4c95-a40f-bd36e20a9957,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75194733-c50f-421e-bb52-3b1a050a35e6,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cf9354f-de5a-4af1-9ec3-f683f5a4aed8,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6877b32a-9350-4e57-854e-f2fc77a0b271,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c83efa15-291f-4dfb-b2f8-7f774f4cd588,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef6721d-1145-48d6-a84b-bc4724d59fe7,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6839d13-c7aa-4b86-a9b0-2e567671e97b,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db612474-4432-4488-b324-8bff9689b3ae,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0d2cb83-a0c5-483b-abd5-358ad84ed091,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6bce0f2-fd9a-4a62-8cae-2afb2c73d05a,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ec1726-cc84-4e37-bc64-1bda69e29d8a,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fdfc3d3-feb1-4358-9a3d-45e42bceabf8,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3376bf5-45a9-4d59-96a0-188ee400c025,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b70b19b2-7925-408d-9521-1670278699c6,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cae5a0d2-989e-4882-a317-7b6ab2ac7adb,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe43e0f7-481b-435b-ae6f-0e37b6d2c7c1,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab896c94-2a6d-4ceb-8a52-4ce75d446bb4,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deda3532-7821-4a6f-b24a-a2f51f590d52,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14d6d36f-b67d-4ced-9293-c39481f42024,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b3b86a-5ab5-4609-a89e-53788868804b,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5da1df4-6ac2-4d28-9f53-057167ebd1af,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7afa107a-19a4-4abd-a341-fd7356baaadf,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2682137f-dd6f-4255-a7ea-7c72a81173f4,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d65612c1-9a43-4d03-9c1e-ecc6a46033e1,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f22adfad-fd1b-4aa2-a123-154f0bd36cae,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a601402-8e4e-4a54-87c9-153240d86c13,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,879402a9-62b4-440b-96cc-18d617bd8a90,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62cf750d-f0bd-475c-b48c-b0ea9b675f3e,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2debfdeb-a541-40b4-bfc5-ca0a40f7176c,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b4e2fd7-ebf2-4b62-96d7-2aa773d48229,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2983dc12-46ba-4747-b11c-53bc9f6e46e4,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2fdb5ab-bd3d-4173-b561-9f43343971bf,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd758552-c5fa-443a-879d-6e044e679d54,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e40f5a4a-ee1f-48cd-9659-bed7b82257aa,"4/16/2021, 9:16:24.129 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c13018-cde8-4299-86b6-d54b03d4da16,"4/16/2021, 9:16:24.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe85ca9e-0475-4f4b-a82e-8fb7eec4a738,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,737252c2-fa33-407c-aa84-84122e3f81ca,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc13d09-6a30-472d-9d24-d1711d67a87e,"4/16/2021, 9:16:24.129 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d41a65a-35bc-449b-8937-8ca620cf1def,"4/16/2021, 9:16:24.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7af39c80-a3f8-4043-9978-0215bd5ce688,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd412c02-2787-4cc5-9d47-7648764b3db6,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ca42674-e3fa-4401-a8ec-3708e24fbae8,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d19d38ef-5e51-4eda-b7b1-b7357fd48d93,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5923709-04f7-479b-890f-596a3de3a695,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48760b65-e2e6-4dfc-91b1-da4aee5f27a0,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,253083f0-34d7-4c4b-8f3d-89c6bc626f4b,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf362dd-58a2-4df7-835b-43007ed143df,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e536f917-ec91-4f85-bb2c-072c503f5bff,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff7914fe-decc-4ace-b7d9-77fff02e2e21,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47921518-45de-45bb-9c55-beacee5ac875,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cadda89f-3da7-46a4-b308-9ea2e7d6a4a7,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9beaec2-5897-4df8-98d5-b948c13853a1,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\STAGIAIRE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69286549-b425-4aea-a797-621c0ab06eda,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\TEST2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3fbc04d4-bfd8-4c1a-86dd-f4db0bffbeee,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b98a703-9347-43d2-b96e-ac53d45e3fda,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe1bc337-31d7-4a5b-a471-f97e31072569,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c1a078e-345a-47ae-80f8-101c23a9e4a6,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65512e07-55db-4c08-86b5-2f54b32c78c7,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a253a22-84b1-4afa-a28e-b210a501bd0e,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f0b9dc1-6263-44bb-a9ca-9e6be72c17e8,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3cebf78f-1eb2-4926-bf15-d59c393a9234,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,536f642f-05c2-491e-b688-90fb9185136c,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd1d3af6-6a6c-4166-bdc9-00c5be2e67e2,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c83ef794-697a-4ca4-b55f-85ae10b25f76,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa34c5a5-3a8c-4be9-8165-81ad8a3f5f3f,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d404e9c-dbab-4543-9c5a-0c284e357869,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92f1788c-ab5b-43e3-aeb6-e9eafbc4487e,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\TERM1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28e9c809-7c7a-46f5-bd12-e44e5648271d,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07b00071-2722-418b-ac28-4b217c296df8,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\SQLADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a631cce-8491-4923-93a3-e1d2923bce5d,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6974ed59-faee-4cb6-849d-8fcaa44a1a45,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ddc020d0-638e-416f-98eb-aa7e1659de04,"4/16/2021, 9:16:23.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11468 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9e86ce12-af12-48b9-864c-593fc573c4cf,"4/16/2021, 9:16:23.870 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,b63129d0-8247-4822-a930-e57753d03bbf,"4/16/2021, 9:16:23.870 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fac80d25-5906-4612-bba1-77b41c099967,"4/16/2021, 9:16:26.627 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2db7b5dc-b07e-4ca8-84fd-b048f104dd61,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8400 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5ca25446-88be-4f04-b6ac-57395a036ec6,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,aea431b1-9bb0-484d-b2e9-62eca174f8c8,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,79aa0ad2-f3d8-45e3-8c79-69ebb146fb55,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9304 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5910298e-b1b7-43c9-900e-d86d278e702a,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3736 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,00d33245-cf0b-4fb1-b285-073b171b6026,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e71b45b6-d4c6-410c-b649-8c03485e167e,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f1d7cf9-ac69-439b-bda8-283be2d72438,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bdc4632f-b249-4b0a-b2f0-f71a4c92565f,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5264 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e130702-06ae-4fa8-bcb1-752822db5d07,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 2636 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e5f568aa-be60-40d7-9464-4222088a9b16,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e36583e-d39f-4442-bba2-4b4025ce6408,"4/16/2021, 9:16:26.627 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80d76bf4-d905-4361-a686-7b76182ef1dd,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71ce040e-069c-4156-b3a1-bd4670ff9f30,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,024d8ac2-6389-4fab-8a61-4e2f6bd59594,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bf65fb2-6ed4-4152-85b1-80753a405f08,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0b72c2-473c-47aa-ad96-b72a07c6dea2,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\DJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4343223e-be97-4fc2-ad97-f2f8a84fd78e,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ecab7ca-cdad-48b0-80e7-a44867fa6be3,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0c3afe9-d934-4191-85ed-dba46d47b10a,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0d206c8-427c-4858-a5c7-f8794e92c5cf,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,647080a7-1610-40a2-b42a-0ffdb403bdcf,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce198108-c707-41df-8e11-7d61f3db705e,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d91dffbf-3895-4928-b6a0-034da31aaa24,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53001abd-a28f-459f-9298-642a9642261b,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34062aa2-b514-4f3c-9f6f-697a3efa953e,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2152d374-2fa6-4aeb-90e6-865e2e80fe0f,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a070ce4e-366f-4170-95e4-d17c2acf345f,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f89638-eb14-46f0-bbeb-e5d3fa35b5b2,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dbfa05d-1cf6-4a60-af80-9893511aaaf6,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\TRAINING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a105935-3685-4e37-8cf6-6499f98be047,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0b9ff02-dadf-46b6-bf42-e072c3f1750a,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea6ef2e8-3657-495d-a9f8-7313cb262d76,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99496125-d730-4789-833c-89f652df2862,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49910c18-f9d9-4afd-b433-19b851ae44df,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d6ec3f-5f49-4dc7-b5f8-74d067443daa,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb284ce1-b3c6-401a-8682-75b6fdb00f69,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f95b505-e8e2-49a2-a2ab-32d27d53c1a3,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44983751-3417-4512-b9d7-af302e2086ac,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f3da76f-e158-49fe-8b0e-e6aea66be38d,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,334711e1-28b0-43ad-8ec9-f9d0ce7f8256,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ABCD,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b9515f4-e9e3-4f34-a509-4092e10c03a9,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aedacc90-b409-46e7-a54f-2ec90a48f8f5,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,373b6bd7-e34c-430d-ac8f-b96d99220dcf,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,588c97b4-bf28-47a2-9aad-d106b33bdc8e,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1583c48c-c113-42c5-a2e4-18a2b4458a68,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1abfa24-a3d4-4251-87cd-f7967ef3420f,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07a100c8-6e14-4b57-9aaf-576bc0ca1226,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67c84dcc-c586-4ffe-8ef5-2106c14f7e54,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5e985ba-db0b-43a8-8367-77a129c4091f,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9703d2c-15c8-4cc8-9e87-676adcd112e1,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd56cf09-2dd4-4985-8c16-b4d0525194be,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b6d2ef5-c4d9-41f3-ac8c-50072717c3f7,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1415d7fc-250b-4664-914b-ce37e07dce15,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1c384f3-8978-47f6-9e99-8aa0cac833be,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,711b3646-661e-4cf7-98d5-5b02bfbbe590,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0beb329e-f435-43eb-bdcd-f0df8afb4ada,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14e9b270-46ce-4a69-becc-c97f3d857dff,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,acf18694-40d6-4d31-8062-13fdb65795c9,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff30401f-034b-4c5d-a1bc-66cc74f927a0,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f699963-c30a-46ee-949f-73ba112ba894,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,45178845-3cea-4a63-a00e-9a2aca48f1d5,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,64f6395d-30f1-4cda-a667-0340a381a98b,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,70222c8c-1f90-4c8a-9e99-1244ef04522b,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eeadd3d-7cfd-4cbc-8640-fcd63a5fbee5,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0d7b249-1543-49fc-8770-8af11f397e0e,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee6f3b7f-b4fd-4ff0-978f-1abe4353e013,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,300a3ee4-5e36-4c90-b991-20abfeaf02f8,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,12b369c9-2013-4a3d-a519-ce6b9101b8b9,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ac0694-b293-4235-a8ab-e23cd67f6ca2,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,25ff13dc-8d03-4a49-a535-19ce0464dcac,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a28a811-f08f-4ec6-9dfe-7edd482fa257,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d76ef93-55ab-43b7-b528-24f604afc854,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a0e2da4-c935-4f35-ae8a-e1208ae7bb17,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bd84fc5-7ad7-404c-90e3-c0d369ca2bfe,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,388d451b-909a-461d-a54f-36b16a1ded27,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,28cac47b-4e72-4a05-8205-81264128935f,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c513a394-6c67-4ad4-96c5-7988b081cb35,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,05707b6f-9dff-411b-986a-2d1d23a61ce7,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,395a4e5c-e12e-4f01-9161-2ea0c440619a,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b245fa70-f5fa-4e31-b267-b062df5e1f6b,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccb059d1-0ef1-42f1-b503-f1b46d642dff,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,291d02a0-bd77-4ed4-9880-60dd1eb442c5,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b7f097-3fc5-4dfd-ae39-f75d38a13d9c,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36761d8e-8987-47e9-9843-56226ce72bdb,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7310fe6-7592-41cd-85af-e37a3e0f0e99,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,190cf2c4-e8b3-4c95-8a9e-b7f642c2b168,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f49fe399-77ca-437f-b407-4ed57915e5d5,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,564f3888-fe1b-4e97-9b50-1de5ec2178bb,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d452ab7-2da5-42fd-8763-c881a43076e7,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9fea088b-e2e2-474d-b6e9-acadba8b2975,"4/16/2021, 9:16:43.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,aa96a17b-00df-46fd-8bb0-1e3d950c1f60,"4/16/2021, 9:16:43.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2375b47d-40d6-40e4-a177-2c21e4a40c64,"4/16/2021, 9:16:43.058 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,804dd1c6-a206-49c4-81c4-e41e33eec1a5,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee085fed-0048-4d3a-a10f-a711ecba5770,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50095b21-63c1-43c0-8eba-c40e30c1d88b,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ebe78fa-1486-407c-ada7-99c0f03d563e,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7975939a-79c3-465b-8646-9a6188873983,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de90e6c6-fd19-4886-a683-f5e23e884571,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4d278bd-81d7-4c75-bc7a-2363c46e4b62,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,703ecd31-2581-4c11-bc4a-97376a2493a4,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62ed23bb-fd9c-407f-9be7-847e773bdf30,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5adcb861-29ab-451e-a662-0b1ff12cdf54,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,528456c6-6997-4a1b-8684-ffe61f0a3c48,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,838cfd9d-2847-4e07-ac1d-1ed8ee9de52e,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a3c6e9d-e22a-4fc9-b908-9ea6c88997e6,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fd59739-63fd-427b-a8de-d12dcaa24863,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d6749aa-5b02-4c1a-bdbc-af6ccf433f3d,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\INFO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fdf65a8-7ea4-445a-9651-52343a2e19a8,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16665701-382b-4384-accc-71aff92e2c93,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf74d87d-de59-4290-b3be-c7537bd16980,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c8862d4-be31-46ed-84cf-0e68ebfccba5,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,446c56dd-0901-43c8-a2c1-47929f9c851e,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56bb3609-f068-40c5-9130-87b0bfb454f6,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1d69384-258a-40e5-8a3d-5b18d91ea631,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f73e5e3a-7bc0-43e2-8847-45630a1aed76,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6383aa6f-b687-40bd-a1fc-fc6d85c2dea0,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b2fc78a-17cf-4150-adda-8d4de08aa84d,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,597913b9-1889-4aa8-afc7-0f9801a1628a,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf0e03fc-91ac-4c40-9353-cbe2b4631812,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06007359-6cd9-4757-a010-849a7afff610,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593beebb-63cc-468f-9733-9f28506ae1b2,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d300a71f-5172-495f-857b-b212fd38e655,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02507f5e-2503-4417-a363-d9acf2013bd4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb08da15-986c-485f-a76a-5bd2b8c9d13b,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce38fb1c-178a-49e2-b78a-131c943cf539,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99802637-7822-4b2d-999f-f0fe37163010,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddd43fb1-7197-4d1d-8050-dc5ea2eb3686,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d099d1c-6d7b-42d3-af23-fffac595c5e4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,506af2a0-2428-431e-8798-2961e4612548,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\IJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c57728d6-244c-4dd7-a84b-06fea7626447,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52abe594-0627-4a71-a4f1-7c9f9cec1196,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2628acbe-1d7b-4aff-a7f6-84439a01cbc4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2560af09-a478-4a65-a5bb-a3d513145f47,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3969ba6-b3fd-45cd-8260-f1ede791c08b,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f18fd1c5-23de-443e-8623-55715d616e0d,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bae15b9a-3e54-46b8-a1d2-17fb2806f361,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0096cd89-fb11-4797-9937-c8a86403fa6f,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ca37653-4f04-4906-8b11-f2064cfb8de5,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8479b38e-3888-4b0c-9515-dd669c604ad4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a8848a4-a0bb-4f59-b615-9dc9f9bb9138,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5898d452-cb92-4876-addb-74510ba9a1be,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37dcf962-e96b-4469-a536-1d3893c035a1,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5424 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f4eb94ac-0613-4914-a676-9149b4fd9001,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f8a00c70-25db-46ae-ad16-61dde6a5af11,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c17042bc-4a77-442b-b0d8-161effd41c6f,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42f2bdde-a954-47f0-83e1-b07b3ca836ed,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5320 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3caf9368-b16b-4a20-8df8-bf72ca46b607,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,09805d63-0cc2-4930-8004-d51c655c2874,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b97af5b4-3254-4d1d-ba18-e5769784aba2,"4/16/2021, 9:16:46.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f144cf83-2686-4556-9e34-6b5ee8e71f81,"4/16/2021, 9:16:46.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2b0a982e-a7bd-4687-ade4-7346435648e5,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1056 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,235722c0-9b61-424b-b767-47e9220812bf,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12432 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b155ce72-e076-4fc9-917a-9fefaf14a7af,"4/16/2021, 9:16:49.282 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ed5cf947-bf12-4ad5-b741-c48be1e40cbc,"4/16/2021, 9:16:49.282 AM",,,,,,, +\IT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,54912d90-342f-4483-a701-a673f19435e5,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0732dbfa-ff15-4784-8165-49ee49512f2c,"4/16/2021, 9:16:48.551 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9911e264-6e29-4d84-973f-3e82d78c603b,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\REMOTO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cedb851e-234d-4c8c-9a1e-96fdc4b70f74,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c090ba61-1d26-421f-b3bd-f4aafea5139c,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7d20cd16-d8f6-46e6-b6e1-ab91a4306fce,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c79d7791-e11c-4883-acc0-62f13b113581,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\MARKETING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c681e3a0-2e3c-444a-ab74-3bbdc6335883,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4e5c908-9e42-4632-bf9f-7c307511cccb,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6baae6ea-36c2-41cc-981f-c73b07572ae7,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba9a353b-9802-4ae9-b5ad-688580c8792e,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a6bb050-09ec-44df-aa9e-12b47391d73f,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54231d16-46ef-404c-8ac6-7b0992869b0c,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d001d66c-f4f3-43aa-ac66-14b579db06c8,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62911359-0b5a-4b99-9809-733da6fae510,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a70fb6d1-80c9-4012-b506-91b28bc7b413,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb88b5e-6031-4bcc-addb-e152ede22c3d,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa06ddb-0319-478d-b61d-966c3c2b4c24,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493336be-e387-4c92-a0ea-9ec110b95ebe,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6c7585-fdd7-4c43-bd2b-6816b10c9271,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,544c07f2-fc61-43e4-9fa7-0525953b3411,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91a9fbf-fad4-4260-b479-6ce60632f2fb,"4/16/2021, 9:16:51.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a7a2f14-494b-44d8-adc8-20cd0529a33a,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a9ca40-0ab5-428e-ba7b-e765607e48fb,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13530f6e-bad1-44c4-a480-7c890ccd8cf5,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1428 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,bedf4470-94d2-4e89-9a7b-28452f56395b,"4/16/2021, 9:16:51.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dcc6d0e-d4b6-4bd6-bedc-ec89f5f0ab37,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29269d66-f529-488d-9047-c89239263b93,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7065da8a-f145-410c-a975-353d7422380e,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29e0eb76-0111-4155-ac60-8525e48c10ff,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3602244-89f3-4a67-9c8a-cb08c729e9c1,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f5d94aea-8472-4c56-863d-19a38b482d65,"4/16/2021, 9:16:57.610 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8984 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,26ad7ddb-93cd-42d7-928a-d92f9f6eae24,"4/16/2021, 9:16:57.610 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,cbdeefbb-2955-448e-9e9d-42a640cffd7c,"4/16/2021, 9:16:57.610 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c6fa695-02d6-431a-a466-29abf6817a7f,"4/16/2021, 9:16:55.878 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4420 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f1f50dec-d1cb-4a99-bbfd-8998c8e7b2e8,"4/16/2021, 9:16:55.878 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b1dc59a-1ded-4961-982a-ef31de1a0b3f,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5574870f-b6b8-49da-9bd3-2d528fceb284,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef630e6a-d465-467d-b985-78da0374bb6c,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed39b0e1-4d8d-4bf6-a344-5a36ba032c03,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1511bfc-00ed-47ea-9c1a-ae53d19d86e1,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3edfc8b-3472-499c-b06f-3cbf0d082685,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\USUARIO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c81cfcd-bc57-4f38-9527-cac29a5898cb,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,591f0dc8-f41e-45d1-9ee1-02c9a3eede06,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e76b6fc-3685-4854-9610-b3ea3ebd3da1,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5637ede5-4345-4a0b-b139-9f5548618dd5,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81d5a049-809c-48a5-b854-29f9032d5b55,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24963b91-6cdc-4cbd-9f06-c292baa24f83,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a52ba0cb-a041-4cad-b714-37105e19adec,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23a43d82-1ea2-46fa-a02f-be5775421fdd,"4/16/2021, 9:16:59.706 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,042f98db-612a-43a2-b5c2-a5c2fbf9e6cd,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,871273bd-0a81-400f-8522-dc1c345084cd,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0925c371-9783-4bf5-bb01-c609c23b440a,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66a14d80-491e-48ae-bf13-c821622cf2d2,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7581199b-cea8-4e36-a9b9-1898f6e71ba0,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d4d8b23-1334-4a9a-a390-8b088551d126,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95ae5254-54ec-42fb-963a-cfae902ccd98,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a16f0f88-1d67-4897-a93f-4ec55454e687,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f322e82d-bc22-441e-a9f1-914905323aff,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17adca3c-e4fe-4e6d-9f7f-75dcc68d1ff8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9737c6d2-9ce4-4a92-b4eb-593d9d403014,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40d5a7a9-59ac-49b7-b64b-d3e67f472f48,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a0142f2-fb22-461d-b116-d64351bbb175,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b5ab254-cafa-4262-a7ba-abed8b1a15e8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\TESTTEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,316de0d7-9b87-4871-a9b0-8d085ec27a6d,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0103df9c-b2c1-4e59-8fbe-692c06c76a92,"4/16/2021, 9:17:12.717 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4003ea0-0ee1-4c7d-83c6-ff068724e1ff,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0273dcfc-e699-4880-92e1-5e680046f153,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e064b77e-7d21-4dd6-9e0f-2f9aa9a7b2f8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28d1ebe4-342c-4c55-9e66-a0e2c227497d,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39620b44-7755-4b54-891a-731d59d668c7,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,925a6549-853c-431b-8969-bedd2fb838a4,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73ec5e53-219f-4bea-8eaa-b7fd44d21c0d,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac0269a0-ec97-46af-acc6-5d2ad4051e8b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8df9367f-100c-438a-9d63-714edf57b425,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95c70115-ca9d-4ab6-b926-261e61fef8a8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7e489d5-96e1-4953-9945-aa83fdabb19b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,429106ff-10df-4d39-b749-e1239de7eee3,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01282718-68f8-451c-93ae-b5695755b771,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e31c4e1-fe55-45e9-93c6-e56c5cbb348c,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0b7ae5c-d78a-4a45-8f13-b37de00ced2e,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1852a39-aca0-4678-ab16-fa33d3f0a30f,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2e2acdb-6d20-45ca-b852-f78f86bf9670,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acfe49e8-b900-41eb-b239-e5626e109f9b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\XEROX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b01e223a-88d9-40ad-ba05-829a3d1de74b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0240f077-b749-40cd-9c79-3866ecce3885,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cde7119a-30da-41b4-8f09-e256117ca8a8,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ab7623e2-ea55-4524-ae0a-567824759ccd,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9cb3cd47-dfac-475a-9631-93e46d5cfc60,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cadf9ef7-8ca4-42a4-aa13-6b775bee0668,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,322f442c-90ff-4a9c-8aa7-3582c8303e73,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,27a219ac-0e40-4577-a381-152db023f680,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,55672be8-8908-4d75-8305-4f19d05c23fb,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8fc380ff-b110-43e5-8313-1a515d23a7b5,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eff7e7da-fefd-42ba-bc44-95502e395c99,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8c2133ca-d4de-44ba-88d4-51d720706687,"4/16/2021, 9:17:16.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67f74d5b-fd07-4286-b7d3-542cd4def0c5,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbddb3a0-d22d-413e-a83d-16c0f1ac99d7,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7283aa15-ebd3-4648-8e5d-ce4d7576f6ac,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83db2614-e52f-4f33-a3eb-e939a08fddc2,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e66d319b-040e-4439-90cf-60a9d211a01a,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ea44a87-9e39-40b9-ba3d-ed0090011c33,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4893a5c-fbfe-4cfa-b77b-c7e7d8f63a6f,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55e4cfaa-8946-4849-8869-5c023783df44,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ff5331-90a4-4a22-aee5-e51ac468ccc2,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59e6a108-8954-4e48-b6ea-dd3ef604db8b,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18be614-8572-468d-a8db-ce250eebc982,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b01b779-20b7-4bf0-b842-7d4d07beedc8,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d676e34-beb8-4a20-879d-12c5baac847d,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,52f39d23-1a44-4453-a82b-46203280f2f4,"4/16/2021, 9:17:21.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c45b79-c9bd-4b35-bd93-3df0752ae6ee,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f385b6d-e1c5-4760-b7e0-e97fa26f7632,"4/16/2021, 9:17:21.129 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2792 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03462bc-c8eb-457e-968a-2127b18cec5c,"4/16/2021, 9:17:21.129 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c769ebf-d759-44a4-ac75-623d8820cb22,"4/16/2021, 9:17:21.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,187f11f7-ae8b-4f97-bff8-359c183343e5,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e1ba140-3f46-4017-a543-5ba647b02c7f,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c0cabda-83b5-4bbe-b206-d2b254e7e249,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98d45009-e42a-461b-9233-8bc94dc743a5,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2b3587a-ff73-49ab-95d7-8880f1c7a5c9,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b097043d-ae53-4f93-a1f4-adcda158bd1e,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08805ba4-df9c-4c42-8779-d71154d53ef6,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,975d5ec2-366c-4195-a198-c089c48d10d7,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30cfa161-1472-45f8-b432-31114da5bc16,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b186c1-acb1-4d65-85d2-254f39c657fc,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb51e140-68f0-49f6-bca0-5091d08bbbfa,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64c72360-83bc-4ca5-bc11-03496b03f8fb,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5bc9a8-7400-4864-ba83-7aa279ffa98a,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,571c998e-f073-4e74-ab87-8165208083db,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5478ad76-8c56-44da-b34f-c3117bb23305,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41d9760f-46f8-4a0d-8610-70fae00017a3,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add4508f-3f8f-4d67-a626-0036f75a46b3,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40058061-3497-48c6-a63e-a5917247a7ae,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9abb857-6662-41fa-a215-7d538e4276b4,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba1545e8-a28b-4335-8026-1cbd08b7859f,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e396bbd9-ef14-4fba-888b-83147fe4235d,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2edcccdc-d508-4792-b64a-80c69687b186,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0de06ce-e4b2-4d2c-93c7-793ee090237b,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6995c32a-2293-4f28-8632-732a07012a88,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f040fbc8-3c3c-42d6-b7e0-7a517265568b,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94af08a8-529d-4989-98b0-badf9561ee77,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,477effba-4f60-4be2-ba5b-61be5531970b,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84a3ce2e-a55d-4dc3-bdbc-85c54274eadf,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a39f711-b8ca-40bc-a59d-5a3e122d1fd4,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,207ab2b6-49f7-4649-9b0a-9fe00af377dd,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b2d3533-7830-4575-a60d-5d8660416ab3,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c487c15-3b2a-458a-8872-60167b2b1c73,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1772 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,894c0b30-c185-4180-81fb-3928d24bdff1,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a3bcdc35-b224-4cbb-ada4-e4757881b8d7,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1888 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b03afcb5-b04f-4801-bf24-32f6bce53de1,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,26dd4ad6-89cf-4209-9600-b20de1fd4ae2,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9090e6bf-ba8b-4fa0-84ea-544964e66e67,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8736 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a1582304-44b6-4198-ac0c-c63bee5301b1,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cf4845fd-ebc8-4698-af08-3c8281660ce2,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2a01ce7b-313a-4148-9ea4-957c4b18eee4,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4716 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9990db00-c72f-4afc-88f6-b52fe1bbe85d,"4/16/2021, 9:17:28.707 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36fdfa42-03f8-4e7d-86ac-7385047d7c2f,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92fe2edf-b121-4404-87fa-45be31c594a8,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0461eae-3aa4-40c4-8eb4-2163d19288e6,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb469e82-f71c-41b2-957a-6d735f984459,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b48a949-5368-44da-a494-92aab4aa330f,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8e0d88b-8675-46cf-9f30-75980ab60884,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2bb5eec-4640-4766-84e3-41ce6a09c735,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4118ba3-be88-4879-9a0b-362643f64a74,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03899869-ef0f-467a-80e3-31eab15a5e84,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8b60102-3a33-432e-89ae-8240f5ff66b8,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4dff8c5-df1d-4aed-b5d8-de7c65f90734,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04c6db13-2b0c-40a7-94cb-4b29cbf83e7d,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\DEMO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26dd68a6-e539-42b3-aac7-4d604de0cd44,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7cb811f-d8f7-4528-9fcb-a779dcd90706,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f52a06e-0fca-4573-a516-af480a5b376d,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a188ce2-f34e-48b9-82aa-b27cada2e75f,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\SIGLABOO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2f3081b-0020-4f4b-847e-87ea71fc9a14,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13acd710-6847-467a-b8d9-a75bdf13e615,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,821d5d5f-06cf-42e3-877f-e6a9765eb82b,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bf636e9-f361-4e9e-b39f-ded8442d2808,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cdb1cd7-762b-47e8-999b-fabeee0f2315,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c044673-4360-41a7-8b91-197d5a7e12b3,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,101359ca-ae12-4d2f-a3fe-2c6135f9bb33,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,eb4702d7-ac73-4385-a8c9-94d44daaa2d0,"4/16/2021, 9:17:45.881 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c02f0833-f827-40b3-9af8-ca73b8b9ad3b,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,718cdb5b-b92d-4bf9-8f88-ad5f7653303f,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,928c842b-5509-4d22-9078-eb17a2eeef87,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8d448c-2b99-4f0b-a3ff-7f7c5c0f7617,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,debca76d-b848-4536-8d48-1f5d62e162a4,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\OFFICE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a1269a-cd76-40cc-bb6f-bee997235d68,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a424d4e2-1180-4063-80de-005460ebbbf8,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2203d959-e72b-432f-bbfe-683a996679e2,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\ALDEBRA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a8e9620-6658-46fc-b2dd-e439cd60640a,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeb491a4-86c7-4325-9992-683ec17ef217,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f966f37e-06fd-43d3-b7e7-e2dc5725b700,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0dd50a7-418c-472c-87f0-e4231e137ec2,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a13c16a-e6c0-4844-89bb-127a60eec795,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,301ba37e-fda9-44e2-8c04-12d8c8b272e4,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f28ce0c-84ae-4f31-8946-1e76b584d665,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,605514b0-fdf5-47d6-ba2d-00874757c91e,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,533afc0b-a3aa-4f12-bb8e-95110c78ef34,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9b8472-09e1-4b39-be9e-87f60ce4c041,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2a35434-afe1-4edd-aca2-8ff536298180,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,866ab78f-56b5-45a2-bbe2-42e46a1482c7,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d141a8a-d04b-416b-b46b-f965e9d180b0,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92d6aaf1-2d38-412b-903e-b2b325baeafa,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8d1dfd6-6fed-4fb7-a3d8-88097bfa0c18,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a4f5dda-3881-4b86-bd3d-8db1c0ed0016,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ae29e17-3464-4f13-b4bf-8cb70266dafd,"4/16/2021, 9:17:50.412 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,88caeffd-2683-449f-ae34-5420154aabec,"4/16/2021, 9:17:50.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cfd69428-b2a5-4d9f-a06a-d4ea9091504f,"4/16/2021, 9:17:50.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9cb4c1ac-13b7-4fe3-adbf-692f9875db8f,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4872 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,605cdca5-44bf-4934-bbb2-ca7301d1011d,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8072 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,89cd6122-2a8f-4577-a91d-e10b42d673eb,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2376 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5f52ad2-1fe2-47fa-9c77-08b6eda4c576,"4/16/2021, 9:17:50.412 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b0ccca56-009a-4e9d-b952-7ea5ce255090,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +\DANIEL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ecb4c086-14e7-49b5-b2ef-b71ae82b4f30,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3340 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48a15a80-f78c-4891-93b4-bb31c9ff80fc,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6dae5a35-7545-4dd2-86f1-ed674391b5e6,"4/16/2021, 9:17:50.412 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c958d32-f438-49d6-a7eb-3a90651a2cbb,"4/16/2021, 9:17:50.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,43bf0f94-5461-496d-99a5-1c75308a604b,"4/16/2021, 9:17:50.412 AM",,,,,,, +\COPIER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,111c30c8-2df6-4649-88a1-b417fd112a58,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71532545-67ff-4021-afe6-ef899c17cccb,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +\123,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdfae17b-39e8-429a-9fea-459ac859af91,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6cdea24b-e033-4588-8436-e222b6e535ba,"4/16/2021, 9:17:52.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,bdb94e0c-6136-4132-affb-3c7b2dc90181,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4735270f-44b2-43e9-9ef0-042adfc8399e,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ca8917fa-4ba1-4a73-945d-5f907ebc989d,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,74785bd9-d5fa-4554-be74-c48fba5587b3,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,09fad265-c2b1-4d6c-8a2a-85b030a5fff4,"4/16/2021, 9:17:52.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,be45bf41-acf3-4e5a-bac7-69f3d9b54611,"4/16/2021, 9:17:52.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f99ccc77-24f8-4b9a-b22c-8778702e75c3,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,15cac7e9-bf41-4f18-a54d-6e0d87265e84,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c905584-b2c3-4e4f-a7d1-59e415c628ed,"4/16/2021, 9:17:52.071 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 372 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0623a679-6fbc-4305-b78c-9f07d0146873,"4/16/2021, 9:17:52.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6904 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4558ca18-7838-4aac-92d9-6b7686bdca42,"4/16/2021, 9:17:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9bdc47a7-b387-4b3b-9775-ee4a6b6d307a,"4/16/2021, 9:17:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7efad8b0-7191-4f87-a436-617a6af623ca,"4/16/2021, 9:17:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dc830f2e-0bfb-4cd0-b6d1-4e0f46ecf4d9,"4/16/2021, 9:17:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6b855a9c-1b66-406f-bd2e-708785c04223,"4/16/2021, 9:17:52.729 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2253497-839c-4a3b-9cb2-63172b7f8e27,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74b82f2d-a92e-460f-9e67-78da494ff72c,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0eac4c8-4aa1-47fc-90c2-a569675ea7dd,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa3fc36-543c-4a7a-bcda-6882f6ffb5b1,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da2826d2-e858-4e84-8412-c439a539e005,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77becdf8-b8c0-4c47-b8c3-afcc0b1f73eb,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\AAJZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467780c4-d4a6-4570-b1c7-107aabecfdb7,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eefc75d-0c21-4944-982e-a785eb4b17ea,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d52b3f8-6a50-41e0-bdcb-d3d57fa1bbf5,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cf3a319-a3f8-44e1-91cd-d5f41da70c19,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78618e42-b12f-4c0e-9928-fc93535b4720,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7eedbdae-1a7d-4039-8202-01d0954b8937,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31653abf-e513-456c-8a6a-c8b42555e1fe,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,982ef87a-3739-420c-8ec5-e7dd112e02f0,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b705bc5-5847-4adf-9fc5-ac7de43d774a,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3320f6f3-d1bf-4ee6-8205-9058528478ee,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecbbfa45-ae80-41a9-9d8c-d718f0a9c4b3,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4593a4fd-4133-4b38-917a-999ed4f79eab,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,477a9aa0-4b4a-4f97-8c64-fd27d5fe45ff,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2421b746-09ad-42b1-bf4f-4ee91861d8b1,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f4f99a1-0606-4b0d-9d4b-c3bbe764cd0f,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48c0f3fe-1c25-4136-aaf9-9c3f99b11f5c,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b707bf9b-6223-41b3-a568-2648ccdbc4a6,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,68d87d0f-6ca8-4a64-966b-0a68e01787d8,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c39a2081-2143-4a89-b707-491b9da70001,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,068e2054-c56f-4e93-a980-3558cd142f47,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c2b37ad-6959-4833-94ee-bafb6bfe4c59,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,71a4fdf3-04d8-4337-be2e-7db4f1f30841,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,222c62f8-d582-4728-b7d1-0d5bcb218f6c,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fdee43d7-4754-49a4-aa8c-69fbfb8f5a28,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0724ecf4-1009-4c5f-8af8-774caf484e0e,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3bfe316a-d3d9-4a6c-84c9-e871cccffdb4,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,08f5251c-4dc8-456a-a7db-a1295dc5bd0a,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e4af53ee-8e76-4a54-8157-38c5fd69922e,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7f79fab8-bc9a-4bb6-a40b-04a808c4ff9d,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b2ad5134-3732-4cb0-8611-51b8fb719daf,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7dd02b9c-b96e-45b0-8892-1074f708b435,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,35481254-cc66-45f7-ad60-9268bdf80c62,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9170a9d9-36aa-4572-9fcd-12b60f53af94,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4068172b-06ab-42e5-b1ca-bffd32a1694c,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,61314406-d08d-4660-b988-5aba3e03d666,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1dad5dc0-79ce-4cf1-8a6c-45aa9c85bd5a,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e9d9cbf1-0bbc-4ab1-ac1b-25d14a439f23,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,49c47c9e-f299-4691-8d6e-ae96566a4a72,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cafb407f-dbf0-4044-af53-3d184ba20d21,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9185b4d7-3df3-4a5b-9cde-e99ec91866c5,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,21ebb0b2-ed33-4d24-9fb2-67a683517819,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,31c4bbe6-e5fb-4268-bbbd-3b87ac9dd739,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4bfb4990-9e5e-4593-afce-a67dc1d429a0,"4/16/2021, 9:18:03.881 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4275e87e-50a6-40bd-bc45-0bda034bc2f1,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,54b5b9a3-28dc-405a-a330-bd9c1ddfd911,"4/16/2021, 9:18:03.881 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a0fa9539-cf22-46cd-8af9-cdd62282c9ea,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5712 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,badbb887-d4f3-400b-a663-31d095e69663,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12308 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dbc3e646-fd5b-41ca-963b-90bd2769d1ef,"4/16/2021, 9:18:03.881 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4d4232a2-b70c-4bfa-ac55-b737cf79719f,"4/16/2021, 9:18:03.881 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e897ed56-c48d-4c62-879c-3dfe439323a3,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3752 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f5998efc-0dab-4082-a5b8-276f03cfe79b,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4360 + 23 + %SYSTEM32%\SGRMLPAC.EXE + 32 + 884A078F302053019A3FE11B1C2BAE826C6B1600D3542A8C0FA4511FE88C0320 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SGRMLPAC.EXE\10.0.18362.01 + 0x3e7 + 32 + C:\windows\system32\SgrmLpac.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0a52d545-3d93-4dd6-b041-105a8c759749,"4/16/2021, 9:18:03.881 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a9288fa-b5d5-4adc-b805-be38b7c791e2,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed1273fd-5bde-44dc-ae39-420d17480d86,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83bc991a-fb20-4c69-a238-c42a9a6bdad9,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1a789b-64d8-4bc1-ad7c-b99af01b1408,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,540482ce-9072-4e7a-b729-70fc7ec9a306,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28fa6332-cbfd-4586-abb8-5c96f7eaf8a5,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ed7f3a5-de32-4df6-985f-af44fef43599,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97847baa-3a8b-428a-9498-1dc2f3a38e29,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f83d35d-5566-4441-b6b4-2a75cdfac950,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,391406ec-faa2-4443-b902-a23ec3bc4adf,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e6fb829-c8fb-425a-914e-bc1a21f7e8db,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3eeac91-aff0-4d3d-9be0-869c9b865f03,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a02ba8e-7ef0-447d-a8c6-38d24f04ca4e,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a4f34dd-84cf-428b-98a6-44ffe3467ee5,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df92f39e-beae-487a-885a-160767d32988,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e88ff95-153c-497e-8d23-442dc3488133,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fef74b3-1e25-4b50-8def-630c27b004a9,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c53f42e-0339-436b-b958-6121eaa8c3eb,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f657094e-d6bb-4b67-99bd-8337a63dcde8,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec15a08a-da13-4a4d-9221-7662c12cea5e,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef060bc5-68d5-4110-bc32-75ff2eda390f,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b40988-0689-4981-ad4c-8fbe65aff3ef,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12b5cebb-4c63-46dd-9ea8-0eb691568c48,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1fd581-5e87-4edd-832f-921a348c3274,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7c98458-d378-4d64-8af9-5340b48f5721,"4/16/2021, 9:18:15.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f196fce1-396e-410b-a8e8-08bda761ed4d,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f45344-cc5d-4ddd-9193-900c0dde1d7d,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef8d0b7-742f-4d37-b2d1-e2bb4b649b37,"4/16/2021, 9:18:15.182 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ed62c9d-7eec-4374-967e-24fccd924ceb,"4/16/2021, 9:18:15.182 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a8d900-4036-4ccf-8685-8d5d92bf881f,"4/16/2021, 9:18:15.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b35362-9a05-4bf5-8863-78bf5917ed26,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71388a2a-928b-4079-99b7-cf06cb68838a,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a62a4797-5bf1-4c80-bc52-d7cec6e133dc,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2938f64b-89f0-4035-90e2-a29816fd5a3f,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdc8d3b2-de2e-4167-a053-67aa618cc5f3,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cae4fe89-f543-4203-abd2-c2e4a393b8bb,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c72d6aa5-70d5-4081-bb74-ef6822785fbf,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8520 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,232e3239-4ff5-468b-a0d9-d794d1c1f5e1,"4/16/2021, 9:18:15.182 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6072 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4764ef6-a7f6-4db5-b8b1-ffed6daf6357,"4/16/2021, 9:18:15.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,170acbd5-7d35-4afd-8a55-5d9f5e53dbc2,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f7fc04-bc6d-4166-89b5-b938565172d2,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248c2cce-bde3-4b83-9fdb-8f027dbfca82,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20c02b95-8b72-4683-acfe-ee86916c5ec4,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7e8023-252f-4e29-85a8-c8cceb4ccda0,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89e0f24b-1da3-4b26-8384-6c1427462ce7,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fab238d-febd-4faf-b984-88060c160de8,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d229228-a7c4-47bd-a1cc-d5e0759f0602,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c42cec2c-8ad6-47ba-81d7-5c1fb1c1ba00,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1285ea8-7299-4a89-8883-8d56561db3ca,"4/16/2021, 9:18:20.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4488 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,41e0c154-6a73-444a-b613-14e237d341e2,"4/16/2021, 9:18:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,690e845b-a2f2-4c82-8fa8-bf06ea55a2de,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6b639ab-2ea8-470e-a941-bcd1ced81233,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b6b01f-09dd-473e-b990-8885c8c56526,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c0a972-82c4-4e0e-b201-6a5cc31afaaf,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12eb176d-7d5a-4948-81f4-c8af6e0acde1,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4251ba00-40e2-4f60-887f-9a67ab0ebfde,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bb6a8e3-fb7a-4400-bcba-e2887e494208,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2e4aaed-5ac5-4d2d-a1c1-ce4b198130ff,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9c0b6c-ab93-4675-b5d5-4b6970534bf4,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03db7b41-c576-47e5-95bf-6d1c3d9ffd4b,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89efb4eb-e4ff-4a04-ae4d-7f36d57b7338,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aa37080-1214-4389-b8d6-7e7feed9ba6c,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e19134e-fa8c-4962-a85a-3f1e12276972,"4/16/2021, 9:18:20.140 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f768cdf2-dc48-4aab-b5fa-de37a5112bc8,"4/16/2021, 9:18:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87ac6ac1-d36d-4206-8732-37634358cd44,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,445426e1-a553-41fb-9436-f38da697e830,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d59e8124-3ef9-475e-90a5-c03690636287,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e95fc4d-e0c9-42ff-a0aa-f2635bd6eb8c,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\herman,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847e7bbf-5872-4c47-be9a-fed7656f5a91,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4220 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f24926d1-e5f2-421d-a7dd-4a03a2f23c35,"4/16/2021, 9:18:20.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3860 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5df6855-abb4-4bd8-bb43-9866cc592f82,"4/16/2021, 9:18:20.140 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0083b858-5a45-4019-a650-912cbb240a44,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5d965a77-65c6-4a76-8253-a3f91975c168,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0df0d530-4106-4ff3-aa34-aaa24e2440d8,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9c3d28e-f784-4c4a-99ae-df3b8cb8bfad,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ab6f2808-0755-4170-ab1d-94190bd31754,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d97308bf-b57e-4c51-94f8-409d97d6a55d,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f2508c46-f6a0-4038-834f-c57ca05bb565,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,33412b6c-4360-471f-8591-bef5d1feee40,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,724a04d0-59f9-4c37-a449-ea8630e93600,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,011e484a-63f0-4f99-ac70-66cfecd96523,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,37fdb470-f766-4085-bd96-2383b37e966d,"4/16/2021, 9:18:24.070 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11828 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,dc07613b-f1a8-4b5b-955a-b6c625c544ad,"4/16/2021, 9:18:25.271 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d1e37ed9-f8e9-4c16-8ad9-aa74ad372723,"4/16/2021, 9:18:25.271 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6876 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,97ca52ae-d700-4b92-bd93-d2d0e5c957a9,"4/16/2021, 9:18:25.271 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a592ad06-b6d1-4957-a21c-a6af5aceda81,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b5ec3a8-4513-4660-a643-f54fbfa8ffaa,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7829cb29-c9a0-4155-9488-22be0a024930,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61058a8b-df7b-4a07-8dca-9e7952c409c1,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95f7a563-9058-4332-b6bc-59164e9c0e9f,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400e75e0-98c0-49ce-bbf4-358acb4559d9,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ff102aa-74cf-4114-840a-c3d98aaaaf00,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\remoto3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a033a4-e582-4eb1-a87e-5ac7b54934f3,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77b5e268-48a5-4532-b22c-ca29f08cece8,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61d34458-d0a6-47f7-93f7-9cb3f25f73e5,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ba273e8-c045-4637-8e0e-b5e959720968,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352f3b17-918b-4ca6-864f-f3b088c4b71f,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b63b5b-7f6f-426c-940b-5f0f94e7678f,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\secretariadireccion,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea14796d-8b64-47c2-8ece-921c95ab2582,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a887681-e7b1-4308-a9ed-0af41baac279,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\PDV3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d669fb17-46d7-41b6-b616-9920502b70e5,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e90296d-46b6-4612-bc6e-6fca9bf56dc5,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6673d5c8-106e-4655-b9c4-94502db4ceaa,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ed6603c-99ae-4c0d-a2e2-767e135872fe,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a2b89e6-149b-42f5-ac32-0ced2b0a130c,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05045534-97e7-46e8-9907-3879599589b9,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9d1db8-b84a-4f2b-8748-124eb985a327,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a302621-5ac8-4b9a-a5d6-8c71e74e0845,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,187616c3-96f2-490f-90a6-cf4d59bd5a41,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\carolyn,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77fc5192-08d4-4c48-acd7-d8c8a34be257,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,107b13ff-687e-4ee7-beeb-a1d675168ebe,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78a216e7-e923-4865-9df6-b8d631dffe87,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7e81bbb-3f3f-435d-b62b-84f500c901d3,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18453e12-a2da-4cd7-ba0a-916731c85c9b,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1054eb0-202f-4cf9-bb53-2c200e605ed5,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c49c20d5-08d5-4f88-b1dc-d18e326872d5,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\fep,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98c00820-54a8-4696-8c31-6eae3c13e221,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6499af52-c3e3-4d40-87c6-141fe83cf8db,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99687c23-8fe5-4cc3-983f-726991853555,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,defe4392-0f0e-4549-88eb-8f1d242181d3,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d642f24c-5d43-4ed2-b209-71d57e12c95a,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a16e2871-fd5d-472d-8577-ac404d9334b4,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6fab184-54a1-49b9-91a8-26d06cb11b24,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b842837f-4eee-40f9-bdf4-9b76ee4a146d,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,436d20ac-9ab9-4bfe-9c64-280b8b5f40d8,"4/16/2021, 9:18:33.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f0e2f91-71ea-48ce-993f-a2315b41ad01,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17dcc807-16ef-497f-807e-ac80f60cc4e0,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41775590-89c7-4c7d-b212-a7fb97589bf0,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\user2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c173633-0a08-4080-afaf-723db443cbb0,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da531564-ed82-415b-bd6c-99eee8da98a1,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30f1b0b-d6f6-459e-8552-dbb19d1cf035,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4728f43-a66f-457d-8704-9da59e6ca9a4,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4ee53e0-9e14-4b88-8ba9-eac6d067f4ee,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dfa10f8-ef44-4053-8ebe-c656f663cfa4,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bdc245a-dc5b-4dce-844c-8bd80aeb1fea,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d08f8cc-edb9-492d-a822-301aebd55b02,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,920642d4-cdc6-4f6c-a10d-f0b87581e0b2,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91b47f08-7892-4976-86c8-4c1b424d6ac7,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1be3ce1b-9c5d-4ada-b310-242384899ea4,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6751321e-b16b-43ce-b5ed-5b8b13d6113d,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d6ac35b-d695-4dba-9c26-bac183e00992,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f75d6636-6a00-4066-b3df-3f82ff2e652d,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1369c982-8821-438f-96cf-f6924cefae11,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69fce817-df32-4124-b98c-c98d9b11aae9,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95406ba6-5e10-4400-8d8e-66a8a26832fe,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abc2ee15-da44-4de1-b6aa-530ccbca7a85,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\MIKE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d249781c-9d1f-4629-a152-4327e144e1ca,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3747450-1db6-4e04-9093-adb5453d2d6b,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61af6976-08ac-441a-8de4-c977a484c75e,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc2f5c74-eccf-4465-a3b8-e99495475115,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9eb4891f-15b3-4855-9372-f2ad8e13c89a,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08019dde-4063-4734-83f8-3d13939cd990,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f018ebea-b00d-4a1e-9b1e-58671c5b3e7f,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,856389af-65ea-4655-8dc2-d0384e2f41c5,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c076e78c-8cd7-490f-8192-5091e767b863,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b6a8d0a-ab80-4e76-961f-170ce30695b6,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc3ecb99-0917-450c-8819-7dcf80dbe0b5,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,393cf3cf-a094-457e-b7a2-a06f590f8090,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,043d95ed-44d0-472b-8051-9e2b6c7e14c3,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,97d9dc92-2303-4770-bb47-f5d6921950fd,"4/16/2021, 9:18:36.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7736 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,593a4fdd-dd19-4929-825a-d191171e9c60,"4/16/2021, 9:18:36.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6276 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f06230c0-976a-4c12-bc37-f90ee80e17ee,"4/16/2021, 9:18:36.870 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6244e4da-628d-4823-83a4-cec16cdb2937,"4/16/2021, 9:18:36.870 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,abed8bbc-7563-4cd2-aa69-52688d0d9372,"4/16/2021, 9:18:36.870 AM",,,,,,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9482ff60-90cd-4c54-9eea-269a63a334cb,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f09716-3f71-4917-86b9-0befb8c6abc9,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba49fd25-e3cc-4200-adb8-46fe51efc535,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bffb37c2-6f27-4dca-a89f-152265d63502,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ABUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,349208ee-7cdf-4279-9c22-f6e15824a19c,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4ac177e-08dd-4af1-a7a0-d8ec8b005dbb,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04efd068-c3a6-4fe6-95bb-b3c9349c8f29,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59a06ed-0ac8-47ba-b506-7a0e1387d2bb,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b412a66-726b-4f8d-8483-219e285cfe63,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bc9c2bf-c097-42a4-a261-11c79ca44185,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faad942a-5e7b-4293-bbc5-19f90e09739b,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ed1518-f1f2-4d3c-b987-281e0cbab73d,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fec5765d-4f7f-480e-b44c-34ea5e8879a0,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9ba6f65-09ae-4874-9be1-dd51b45c5eac,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e41114-e193-4c9d-8cf5-af60aa19d2f6,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0eef7c67-d09a-4293-8e79-603d76802f5d,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbb687e-adbb-4ac3-ac03-f5450f8852d5,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d53fbf1-ff8c-4cda-8fb0-732f55fe9d38,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22de707d-fbcd-45f1-b25b-6087826162c8,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d2a4ef1-62a1-4d09-b4d8-a04b31ee1c2e,"4/16/2021, 9:19:04.138 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0705dbaf-a7c2-43c8-8856-266d14edc9ec,"4/16/2021, 9:19:04.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7264 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,423b1676-651f-4c6a-a879-af7230c69414,"4/16/2021, 9:19:04.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 968 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e7a476-0349-4fbb-b1c6-d3bf4d36fb72,"4/16/2021, 9:19:04.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f9427ca-6fa9-47d3-9fe8-b5a7683d6d40,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\dental,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7a7da52-5735-48d8-99db-8b477ccb8735,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82fdb94c-303a-44d8-8033-5f25dc6cd245,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76b50249-1cb0-46be-a206-a7639678c9d9,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5876a0aa-09c4-4d38-a1e1-72c2248f1dc2,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef366811-f7e0-47db-b6df-1308eaf610fe,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04e23627-cc07-4ecd-858a-9819823753df,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e4d6c5d-3e40-43c0-99b4-fab49cb563b7,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b8e3a5d-32f8-48aa-b754-3b69153fc838,"4/16/2021, 9:19:08.715 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde82964-edae-4b49-89e6-b2b47e9a749d,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9a8f352-4fd0-4959-8f90-2fb0d7c26025,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6231924d-9b5a-40cc-9ea1-f087ad09df51,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2c5a741-3a1b-40d8-adbd-905f6229278b,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,354b0e04-d52f-43f6-90f4-705891139abb,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a6a0912-1dda-4e6e-9b50-7a5b655b5b0f,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\RICOH,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3aa4ee6-170f-4d09-94ad-20240d1a2eac,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0928e16b-341a-495d-bb3d-98e3afc629e0,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8960af-ef76-4c2b-a82d-a3a82e78b647,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,971ba7e8-72e4-4674-bd30-b714ea8e2b98,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2affc6a5-4062-4b50-9b8c-ce655e70309e,"4/16/2021, 9:19:08.715 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c47a26cc-2ab4-4377-9223-69ea5a841285,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c604b8f-261e-4185-b467-a79f8fb39f28,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfb5cd7b-6e88-46ca-bdc7-c2457e37b959,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3d49e9b-29a8-49b5-8d48-d8417f15d743,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f69f388-f267-4ae6-acfd-94d343b5d6c9,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53dae543-f013-4dd7-b72a-83ce43b927d4,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37e4ce79-80cf-4cd0-848b-b280624e93f3,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecedad22-a156-4ca0-8da8-7bc0c2e5088b,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b959eddb-c2e6-4660-9aef-41cca4769f09,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d06bf6d-a9a0-4795-8664-fa8183e12025,"4/16/2021, 9:19:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8777da3b-7319-40d7-812e-c2c239356b1e,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05910937-7dc7-43a0-ae06-799a7381249f,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6922bb03-8a39-49d6-acfe-5af97f062736,"4/16/2021, 9:19:09.880 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,43b57241-6a64-48e1-8471-10dbc852266f,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1588 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\Windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,39d59d48-df1f-4230-a14f-2b11a233f43c,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5444 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2684c21c-6dff-4f4b-8b6b-fd3b06726233,"4/16/2021, 9:19:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,19d2ddfc-553f-4485-8f5b-fdf62ee18589,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f11be8a1-3e16-4456-afd3-bef074cd6d48,"4/16/2021, 9:19:09.880 AM",,,,,,, +\USER4,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d33d769-72bb-4488-8c95-da13b2b056fb,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b37bea93-c4bd-4ba1-b6e1-3e969df4980e,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56acac7f-7c4e-41e2-b212-8cc1edc30856,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9abaf164-16b2-416d-aff7-2404c17221d3,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3695c5df-14b9-42ab-a348-883fba1ea48b,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93d8c487-3f95-4a0f-a7de-95192d0d9f1f,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51569da2-0da0-4afa-a730-52a7e9a43bf0,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\CEMPTING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d47b4668-f588-4861-a711-9a7d887f7b6b,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d5bcea-58fe-4a3f-bcec-7df2e435cf04,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d89b32c-d9e7-4f9a-9571-6c84502b340d,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5726465-23cd-4f3c-9542-cb7f78b49961,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b0e962c-f82b-4cc8-a89d-cc84d975b651,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,583c6af7-8915-4698-a4fd-65ce112b6f6c,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1897fd97-bf67-464c-9595-4e0de32a84b8,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,573ac9e5-f91a-429e-b950-bc426e77e527,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8ce747d-3096-45d9-ac46-a2a71efff32a,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0aa87f28-c209-4982-8c21-bb9634e63c36,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de611358-df0b-4c68-a2cb-4f3a4339e3de,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bcbae36-e8d8-46c5-b246-849f7d5008b7,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\ACCOUNTS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41e53380-be75-4d12-9aea-438e1f9c86bb,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba6ca284-557a-431d-92f5-fd9452de9340,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3460a10c-b642-4eb9-b6dd-c82da9bf493e,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66373227-e802-4462-9d0c-6284e8600126,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6632 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dd21cfdc-f1ea-4b61-9b47-0b27802c3382,"4/16/2021, 9:20:09.886 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6844 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e49a9289-5e7a-468f-98c1-022b2e93e853,"4/16/2021, 9:20:09.886 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e998afb1-ef2e-4207-ba53-9f61568c073a,"4/16/2021, 9:20:09.886 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ea15bbc1-c983-4a59-9298-e921e360af18,"4/16/2021, 9:20:09.886 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c7e20256-53a8-4f16-a677-4c061da4b01e,"4/16/2021, 9:20:09.886 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10220 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-03_031925\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,65479a9e-2b6b-41a4-8c84-5d79ac72abcb,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d6c6d57f-bb94-4b10-bcab-526dd0aea5eb,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d9beed41-d0cf-487c-8cfc-ef01b14a66b7,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7dee2d91-ac74-44a8-acb1-e5d262f93243,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,afb9f090-6ea0-468f-8a06-2647a6cc504d,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a44f81a6-2f36-470b-83fa-d83320ba5407,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9288 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-03_031925\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d23ecd3-bd36-439c-896a-ed67aa034dd5,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d08e1ee4-e259-41e7-ba24-b4c6cf4f7df3,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8308 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,04bbe6b6-8b48-4e67-8b35-3c474035bf48,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fa4562e2-6780-4bc8-b68e-59e88802f1fa,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b47f4d55-2c2c-47ea-bb3e-fd1011d74e2c,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0412d452-e0fa-4b74-8faa-36105c41804a,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,edcf9251-b1d1-4a2d-88bc-430f7e8720a9,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cbfaa11e-a8da-47e7-81ed-f2aa2b0a3f4a,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5464 + 18 + %SYSTEM32%\CMD.EXE + 32 + 25D4CAE189AA05EF5AC50A92649774E9527603140F67BACC08CB5B59E4C33B26 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.18362.1316 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,78453c18-2275-4433-8eed-bbb4e62a92fb,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e0685d3f-d8f4-4279-9ff2-eb85655424bd,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7ab3055-65ae-4817-b532-e7f6bba12754,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9492 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b5109655-d0d2-40a1-808c-208ac564b46a,"4/16/2021, 9:20:40.623 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7625ba2-3c65-4e79-aa10-aae4cb90e99b,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdc100ca-8199-4d57-b65f-aab9520f1135,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32ab8a61-f3f2-4216-a1d0-86cf0859a9e2,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e4ad820-3a58-4c6c-bb39-8521ed9fec2e,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\testuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7f33b94-94d4-463a-9a9c-d405fbec8581,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a05a6d1f-f6cc-481d-b103-e7b753f9d70b,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad8c77c1-9587-4c72-983f-76aaa4766c1e,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d15254f-bc2a-4faa-974d-c74e83dc3d67,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cec7cf6b-74a4-423c-947c-01ccb6d2d551,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\reception,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06a40a31-1d25-47aa-9774-a8bb25379b5b,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6745da17-a356-41dd-91bb-2bfac60722a6,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318a2265-be5a-4265-a26d-46dd19eee8b7,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\dance,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad76fcc5-87e1-4ab5-9e8a-5a401b2551c0,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec1580ef-0bbf-439a-840f-608d65bc4a2d,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8f6e81-da6b-4165-9f38-09d10d484cc5,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d32f6cb7-d718-440f-8c34-4ff6b07acef8,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f36ae0-aff5-4ece-ae71-e4ca4b13e1ba,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\wf7610,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0094dd9b-9bf2-4ef7-a70f-553a93e3213a,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72c17d68-9be9-4e8d-8539-0711784dd616,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b2b910-1eda-4f0b-83e9-1f1564340482,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75caa653-2db5-4b6d-97aa-b36c8cc2858c,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,406e4360-e192-465a-80f1-d9dea811dc6a,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,818bc62b-42f1-43e0-bb19-b97f838d4ac0,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1de4fa7-b23c-4a25-ba6e-dc8607ffc881,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6934f2d0-e839-4f95-97b5-9d2abe3096a8,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,967397d0-2744-460f-9642-7e0170495222,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0712f34a-41de-4b80-abfd-488836a8b26f,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\INFORMATICA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b19ba8db-1b23-4c86-be8f-414d57ac3ac4,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b17a128-95f3-46b8-9370-02a80b328969,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\ADMIN1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ebe7bc6-764e-4043-89b2-e7ba38fc5340,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13e6881c-3deb-4cb3-b0ba-e83b3ebf2496,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de1ec4e0-acef-462b-88ef-12d1d89cb665,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60f293fd-a670-4117-a0b4-309306735f99,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e64d2b2a-365b-4999-b9a8-63df1b6de0e8,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,410942d6-9f23-4a2a-96b3-2a1a6ac9e706,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af14c933-f138-487c-9600-4346d7cc1a4d,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31d66abc-e672-4e8c-af47-d1ce8d8af001,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9455262-2364-4961-b465-6e045898f0e8,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db073a10-9ea0-46a4-b010-e44122e2a919,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ed0e2f6-0d7b-4284-ae3b-bccfeb7317a7,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\ADM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a5383cd-e4b7-4f50-bad6-02a6877608d9,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22b4bd06-5125-43da-96c1-37c8da7e22bb,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffe84939-7545-4230-a962-5ba4dbfb6ffc,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,243f24c1-ef25-47d0-8c56-90c37a5433d9,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ebc5092-b97a-4820-b330-22543ab25b3d,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\LAPTOP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b84817f9-87a3-4304-81c0-a83ad498ba0f,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7df92f7-c7e1-494e-b595-21bf72c11326,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfce5e2a-64da-48ca-b370-ce90ada8b4a6,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8328 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,23692789-c9b6-4776-a106-2155834d0325,"4/16/2021, 9:25:42.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5924 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,53a55323-acbe-45a7-86e1-7c6996700b89,"4/16/2021, 9:25:42.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5048 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,764b5fb3-f657-4eab-8e28-a58609c493d6,"4/16/2021, 9:25:42.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4184 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ec0a81f8-4db4-4b50-ae9d-d83aa6c75d87,"4/16/2021, 9:25:42.002 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e007f2b7-8882-4c2c-b0b8-0421e3333e1a,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b32ef470-f0c9-41e2-8258-9f6ebf627aa8,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b08afc1-15f6-484c-9545-46dfcff2d32b,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b42481b7-f6f6-4dc8-9de3-281e6a9b5289,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80030417-2e18-4e7a-8c76-535f210fa107,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58c18216-f24c-4b56-9bc5-0dd114092d04,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72531110-61d5-4a57-8632-89e024cb23d3,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\SHIPPING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1eea8782-eb1c-4206-9f3a-e0998dde83dc,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\EJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55d64c0a-e61d-449f-8bb4-6994742741d0,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b76b7104-0d0c-48d1-a9b4-bfcb0aec71f4,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,117ef1e0-6447-411c-b426-00bc2bf35155,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55380dd4-b958-44fb-80c2-4bcf3fe5a002,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4554151b-6e25-4e6f-a06b-3b0604bc8d88,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f1c0bc5-757c-43e9-a0c3-a1dbfd6cb018,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a4e305d-fb5c-45a9-8bc1-d80bb981e771,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed19ae9-7523-415a-a9fb-da62e0038f80,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\MMAZZOLA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bd55415-0fb0-4453-a255-0d4fc23c76de,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5d6954b-d3a4-4658-a6ec-d53aad3a4608,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,793edaa1-ca18-4d6b-9e1d-51b5f8b95395,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3667a1cc-adc3-4e9b-a6c2-81149bd1bab9,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97ec86c1-a52f-43d4-b3e4-d9b9dee5a851,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,932eb54c-8936-4269-a326-59532e60b3db,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6884 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d626e7e5-1112-4586-b8fb-6e9c455563f6,"4/16/2021, 9:27:32.158 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5f51f1f-c53d-4c1e-9a77-5c9c2ca4a321,"4/16/2021, 9:27:32.158 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2d2b12c-12e0-4e9b-8043-b8503972979f,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,306a390c-d180-479f-a3ec-86dc97f843ed,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64c65f00-ffa7-4941-a4ac-bbb591de248d,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21956de-8692-4789-97e0-5ed27745f0c3,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39533936-899f-421f-918b-5393c1a37c9d,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2297c15-5f49-48e3-bb34-0c8e8789312c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9672bfe7-e2d4-4258-9d28-db06c4af7d54,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,533dea62-d399-48c7-9b65-172c82f57fce,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b8b3bd0-c73e-4d63-88d4-67ce1c2d00eb,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efad12ab-cc7a-49b7-889a-1da015833a3c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c434433-7f00-4ba3-8ef9-d1b465805f91,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef148f71-6b09-4ed5-a21c-298413238a74,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69a51c27-6d62-47e1-a6e3-efd248e5462c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,053fe717-47a3-4892-9b07-ba242a553f65,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e959cd7f-9e3c-4f5b-bff7-b5b8611772ef,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c1ec5e5-5011-4c07-9aef-14c2678b160c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ce26665-91f5-40d2-ba6f-09f96693520b,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,ec15ab3c-81d5-4da3-9e3c-8c1794be8d65,"4/16/2021, 9:27:32.158 AM",,,,,,, +\PDV4,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2d45f50-2e32-47be-9ae3-228742388dd4,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbf17973-19f5-4fb5-933d-ed26bfdf87e5,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e0c0df8-88e7-408d-a31f-5a4432f326db,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,7a28ff36-ca21-4a35-bbee-05f9bb63ae45,"4/16/2021, 9:28:45.879 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4987228c-8ee8-4119-8823-ae2cb4883a2a,"4/16/2021, 9:28:45.879 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bb817882-224d-4ed0-85f2-458b4de3cee0,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cd51c019-13b8-48e3-8d59-ef5f87ea38b1,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3668 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,11795f49-8266-4b28-9a18-8299dd9ed674,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6376 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,08a885e2-53db-4f01-b61f-f2f0bf197799,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1656 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,25cb018f-289a-4105-80eb-02419cef80fa,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a209e560-467e-4991-be2e-384b78856388,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3540 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bc403e75-3fe0-40c2-9b97-710bf0a4c162,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,32a462f9-e446-40cb-884a-7d86f673437c,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95ef75dd-544b-4b9a-a4f4-8286ad1872bb,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,964cb01b-1354-4cbb-a1e7-24358c17bc7f,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,81e477fb-e1f3-4876-b4dd-e53969e30cd9,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,26e11238-ad2a-44d2-abff-d4d3208662cd,"4/16/2021, 9:29:02.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b2037c96-6022-43b8-8d24-5a98ce028a6f,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3784 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,972583e3-82d8-4e86-bc55-c7a426af23b1,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1e253fa3-7fb8-42d6-a89f-d2bfc6c89756,"4/16/2021, 9:29:02.896 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,912917cb-2706-44a8-b90d-18abd004dc32,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0fe8cac9-009a-4da2-8ebb-a728a8ed7e08,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 144 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8913d27b-b1d4-4a9f-9360-175d36108722,"4/16/2021, 9:30:49.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a2abb0a5-a80a-47a9-bad4-4b3bbba2030b,"4/16/2021, 9:30:49.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9792 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,aca7ee28-c7d1-41a5-8dab-1db5b98c6587,"4/16/2021, 9:30:49.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7804 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e1888086-23aa-4d19-88ce-4b36bcd7fcba,"4/16/2021, 9:30:49.280 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95015134-4254-47bf-b3fb-d046e022e78c,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adf32be0-4292-43b5-bbd8-b93ea6e6313f,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\FTPUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbdf06a5-4ca7-41b1-adf2-e2ad148262bc,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4520ae0-edbd-424b-83b5-81f01317e66b,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a11fa78-2533-489a-89e3-c0cee2fff507,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d466ce28-2057-4b2d-91dd-62da6aef6288,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,733bc346-79c2-4b07-9c34-ffc2f8401f6a,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\SAGEHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b71d7d73-f520-43a6-9a13-ba34f17d4d2f,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0728fa59-c365-47e7-98e7-5d972c7cb679,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb10cfc0-a605-4506-b3bc-57b858ffff19,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c445a5ca-09fe-4805-bbc5-93638ecb01e1,"4/16/2021, 9:31:22.148 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3638bdb9-c243-4e4d-8304-e46618360586,"4/16/2021, 9:31:22.148 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62e13ecc-ed64-497d-911b-544b25e01870,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,104e0808-2e26-4d61-b2af-ec1bb48a44cd,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,943dd5c1-7270-45bd-9065-2957ee424e70,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f18f13a5-52db-4247-915d-49fa294a8a55,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c6ba3fd-ff6c-4752-b04e-ff3ce3435f69,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b290a112-8bf7-4e37-8984-f3366dff1ece,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6264 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f65af24f-e12f-4575-9e02-a874906c535e,"4/16/2021, 9:31:22.148 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed3e85f9-7745-4d66-83b1-215c645f470c,"4/16/2021, 9:31:22.148 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a139d83-0d34-434d-a702-731aa8bf24ee,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c205d5a-b97a-41a6-af42-48ac431473f7,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34afab50-6514-4965-9422-ff779a3340f1,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c99f0f10-4e6d-4067-b0c6-6d6ff8e60e6f,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc406f88-06a6-40a1-9621-ae868f3794f4,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,aa610425-ff55-4057-8e9b-b95047607bbe,"4/16/2021, 9:31:45.879 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 13444 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ad56111e-c8d3-4ad7-a143-bd0c773edbba,"4/16/2021, 9:31:45.879 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,73941774-71b4-41c3-97b2-c765e6a3f945,"4/16/2021, 9:31:45.879 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6ea1c64-d681-4f58-a415-51b4d11abf62,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b8f3a7c-915f-4c56-baec-275da740bd29,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12cfb29b-bd18-44b5-af8c-1c65d50c088f,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f3f599c-0665-4881-8a2c-8f8f9a00bb57,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd456227-26cb-474f-8eb7-e972556ae315,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae193637-e48c-4f07-b2ff-ac1beb6cf9d8,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20b35612-ebcd-4ed1-b9c9-1593348487c3,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab393de8-ad5c-4165-929f-52320a675d62,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fd7fa5b-d9db-4459-bfcd-382eb87420c0,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,736baaee-22c6-4667-9a41-deedc18f813e,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3f1cf6e-2fc8-40c2-b88f-c8ea2bfaefca,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e191b9-9169-41e2-a0a3-99c8b7bce807,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,48783d72-1fc5-4c96-a870-bb2abd195d28,"4/16/2021, 9:32:23.136 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5b19c2d-80ee-460c-9de1-6c9a55c7f9ef,"4/16/2021, 9:32:23.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d6264f2-87e2-4700-9e4d-9da732a332d4,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7348 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,753c3adc-89d9-48bc-8e25-1ffa12821451,"4/16/2021, 9:32:23.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ae6ede-a5c7-4bf9-8322-ba39bfc1a382,"4/16/2021, 9:32:23.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,708c290a-be3c-429e-8116-6f54bfc1092a,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ebe484c-3170-4e22-b325-f1d404aafb2a,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61a67def-40f0-46d4-88c0-82d06acbd620,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1de0e38-e142-457c-b573-4c17ac5b5976,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08aa55fb-1fa8-4f1d-95a4-6d4e52b0ddde,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8c5e752-f417-4cc7-9e1c-679ad90e3864,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,699ff0c4-c176-44f8-8799-af41e2b3fdbd,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bf8ac31-f01a-4f33-ba61-d8b7f55c4906,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f41b0243-c865-4fb0-8628-1782c8fcda3a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65c5e577-c2fa-486a-b09b-a9d638e57d7c,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,583a9ab5-5469-4536-94f1-cfaad172c58d,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,009ec6f3-9834-4b8f-a379-2e53db83d2c6,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23975399-df04-4f93-bde5-6a3e3e04b7ae,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,750df3d9-d6bb-4c9d-945f-db78f69ffea8,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eadffed4-2b21-4a4f-ae15-675562c21e3a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bfaa4a3-3b67-4aa6-a3b7-c95403d3075a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3780d3bc-b2f5-4a01-b2bd-502491b0b03d,"4/16/2021, 8:41:24.101 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f9f1d5-037f-4b92-a401-759717da276c,"4/16/2021, 8:41:24.101 AM",,,,,,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07c21897-ed14-482b-970c-8d720b968249,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b971d7fa-3d68-4598-b10d-c3f974daccf0,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e09fac73-e066-43ee-8f30-54508d71df6a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab0e0c7c-eaa7-402a-9f04-dd347ce8983f,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8456b906-46d9-4177-8331-37e41f5a5542,"4/16/2021, 8:41:24.101 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1016 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaeb4d77-b536-4450-85ba-bec7f2f3b468,"4/16/2021, 8:41:24.101 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd8ea025-d7d2-48d8-834c-22ebe83ffde9,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfbda5ea-baab-4015-87bc-2ec9698ade1a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bc0b308-7ac6-4991-99fd-ea7879221dc6,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41fef5e1-21e6-4cdc-a197-5e07bd32df8c,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7953e5bd-497f-4752-96f0-3b450a0242d7,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53ff5f5c-3fdd-4811-83a9-2264bccd7a54,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8d737a2-a7f6-4a41-8fe5-6a9620655399,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4596c3c2-a659-4952-9cd4-a2c1ea5fb09f,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,204b1ae5-8d97-47ba-b329-315dc258eb6e,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,de2c7070-de3c-48da-9eeb-1d070b903109,"4/16/2021, 8:41:26.527 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,60577089-189e-49f7-9a00-3bd0ae224781,"4/16/2021, 8:41:26.527 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5912 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd4c6ba6-efb1-4633-9a18-830200ced555,"4/16/2021, 8:41:26.527 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,82ed5afd-902a-4710-a53f-50581c0acac9,"4/16/2021, 8:41:26.527 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bba919c0-f579-4a28-a6d3-809d546f5db9,"4/16/2021, 8:41:26.527 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10076 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7bda87db-3acc-4a15-88ce-2e9d58828356,"4/16/2021, 8:41:26.527 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10112 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d74ebdd9-0c31-44cf-9582-24162e5ed6ad,"4/16/2021, 8:41:26.527 AM",,,,,,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ad76f399-4297-4ae5-a098-23313bd752a3,"4/16/2021, 8:41:30.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4507c7bb-d985-47e9-b57e-9adda56c4a92,"4/16/2021, 8:41:30.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c954bb6-3d56-4c37-bc37-a5c5da9f7318,"4/16/2021, 8:41:30.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93f3231f-3133-4d5b-a517-23df410a95d1,"4/16/2021, 8:41:30.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5640 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7636dddb-c529-4d9a-b0d2-259dc1bf99dd,"4/16/2021, 8:41:30.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6912 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,72414e6b-ee86-4ab0-82e1-8c830f3f6471,"4/16/2021, 8:41:30.412 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a7863a1-825b-4e49-bbc5-c5d0cdead848,"4/16/2021, 8:41:30.412 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f4fc2de6-99e1-4cbd-9228-e56e454216a9,"4/16/2021, 8:41:30.412 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8699adc9-8978-417b-96cf-08b1217e2a3d,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a296bff-7bf5-4210-9660-607ba6ea260e,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8ca50e6-2b5b-4122-90e3-c18eacd4348b,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5feb42e2-aa51-4dbc-9870-170d0397cec8,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f62d167-2adf-4fb5-a336-1bded9fc3b38,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,487cd937-6958-476b-a32f-660ef77d1d2f,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aad35ef-7619-48b2-9a43-092b3ae81f75,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9a81c13-0396-4eed-a725-bd263ff2346e,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05daf40d-ed8c-4a1d-a5cd-5d16f2ce5d17,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fa36777-76a9-43c3-9c6c-f39fb9fdbdbb,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af9a696a-5be2-4286-8c8b-a86bfc019eaa,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8743c125-ae87-4012-a849-b8fabd3ccbea,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea79bea6-0cad-4641-9d67-2560700a8378,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09cc54cb-204d-4937-939e-31572c0e2733,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b75ff30-4ae2-421b-9914-bc7c6ded184f,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd86aea-2b27-4c55-914b-04c8fa74da50,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e8ba9d-ac5c-4237-985e-0a1d6e6f94cb,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1e237f-3eac-467a-a6c2-0b864fe0c05f,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e39c7d-b4b5-48ef-bf24-f0b132f849ca,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48a26943-5da2-46b9-8864-8589b36e5f93,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7172bd73-70e4-43f8-a3ea-7f48ee9ae28e,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,d58011df-141c-4390-8b0a-42d308e7ba91,"4/16/2021, 8:41:31.165 AM",,,,,,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,918fcc14-11c6-4e72-9300-7715ea9b0b80,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b740962-4130-4925-a609-f2c1d20f37e4,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a6c65f1-4aa9-43a0-8882-9f9b17264649,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db7b3022-8f58-4f2a-bdd6-b4160c7a4919,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0116d9b1-6090-4df0-a054-c68e118df206,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc8dabba-7bbb-4d69-ba1c-89185610b360,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cda51b6e-f921-44b5-8e0b-f410d0e195ac,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f890f20-ff5a-49d6-ad05-f138d4d123fb,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a87c43e7-b741-4422-9a79-8b6a3f4dd32e,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59ef9dd8-adb9-4577-8477-a83905bae587,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56d2a063-2d6f-4746-a031-21b298f245e0,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f9256c5-ba4b-493c-885c-54bdc7859952,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,859aace8-cbde-40a4-bad0-fddfbf8da169,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0212477b-ef08-4836-b9df-c3b0cc463a31,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,301a516d-aac4-42ce-a9ca-9089e73f8dd2,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7ae96f0-be0b-485d-8d97-ee400f9eb4af,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c798a595-1da6-4ad8-a543-f0580b31b005,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33ec0a09-8fd3-4b55-ab10-e106228116e8,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27af5ded-3854-4fd1-b6ed-6953f296df4f,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b79bbc-98c2-4017-86e0-d10a657c5313,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f10af08a-d276-41e5-9986-72ca3d1c153e,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84b4109b-39ff-47c5-a55a-889ebbd78e9e,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70316477-9137-46c0-8fcf-8f0a3294c0ae,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d70635e0-45fb-442a-ba57-7a34c3ef1eaa,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2efc2af6-90ca-4a19-b21b-4ecbcf329b86,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c3b8d29-b05f-4712-b6b6-c5d1774733ce,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd3054e0-68b5-491a-9260-f5e5a4837916,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccfc37fa-8de6-4a29-84e7-6022855aacff,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd1421e-9862-4da6-8873-fd0549a3af01,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5112 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1299\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,76b49315-be9a-44c7-9b71-067e00a469ef,"4/16/2021, 8:41:34.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8108 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,855a5365-bbd5-436a-b0e3-55a74a5e46e8,"4/16/2021, 8:41:34.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4268 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f83d1384-c1ff-4bda-86fb-398848fbce0d,"4/16/2021, 8:41:34.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12096 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,66d64f34-cb6d-4baa-a0fc-d833dfcbcae8,"4/16/2021, 8:41:34.257 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b996e81d-96d1-4b33-88d0-232fa541a7be,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,198888f7-e4b4-41ae-9785-b488835e5e00,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef1b3f3f-88ad-4046-85a0-74ab2606e0d0,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ef994fa-0d98-4ee1-8eeb-f4024240f19b,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad057552-2312-4626-9fb6-b8411c02ca29,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f65fa620-8c1b-443d-8821-848f4c9b9cda,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82400a3f-cc9b-4566-b8f7-1f61fc1f9363,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2b8f6f9-df2d-4a9c-b6c1-ba19736f00b2,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5ab82db-18f2-40f8-b3b7-35f8d5ef3d5d,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7625f6ba-cbb2-44b5-a675-570c5b30cfe1,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f71fd00d-33b3-455a-b63d-41724d1ec0a4,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abf340c7-af1c-4ad8-b33c-1488bb0e3920,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b054bd46-f75e-4032-8be5-cc3c69779e74,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce06b272-97b0-4dec-888d-626679b63200,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed3b81d5-d9f9-4605-abe6-2d1eea397f86,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2878451a-6cf9-4b39-a7b1-b90f6b5055b1,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7b0525c-5cbb-4012-8af7-a9109df8a625,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dbf0ad9-8e66-4a15-8fe1-172d07f9da3a,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a0180a2-2cb6-4308-a292-9fcbe5895007,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde7a676-9740-44e1-acf5-c91ca6a44af3,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00d19b7b-d0c4-4d18-add2-5f9c114cc287,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f15d158b-e7ad-4f5e-a41c-80291e49ec41,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,3d5e3902-b13f-4768-9aab-24845173e47e,"4/16/2021, 8:41:44.860 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07240afb-edf6-464b-89e9-1faf092e9ed8,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ad87f63-4715-43be-ac5a-ad7159138541,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38a9571-540e-45e2-9142-c0b579302cf0,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dab5080f-3451-476d-9d70-d386c8216942,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d54a87bb-3146-4ef3-9142-cb673ef86a82,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2efdde7-2538-478f-bde7-c1077c413ff3,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e466b52-8280-40ea-b26c-70910e1673d9,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc8c5798-e071-46bb-866d-27337e322868,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd3fd23-5cff-4150-b25f-d73d6221feed,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,936333b4-9c69-4108-a9fe-20be26f8a77b,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32aea48e-7153-47f4-b2fe-990fc1347117,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18187706-fd65-45c9-8e11-24ce5486e5d9,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8123f449-3347-4bea-bcdf-caaf031fbb4a,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c4689b9-ee6a-47e4-abde-b16ca4a6e598,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ee1f839-c9a7-450a-95d9-58bd98f093ab,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b1b73a-3d17-47f7-9095-3b61899d1244,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0fc10db-e68f-46a6-a42c-a6de20fde353,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3909d747-5e71-417e-b945-385e3ba8b85f,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1777046a-41f5-479c-ba7f-8063388e5148,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,839ba95f-1cd1-4011-b701-e330fc06afda,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467ea384-32c0-4a1e-bd1f-9dcd92531709,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46cf42a8-37eb-4280-80ed-004a8b08d70b,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,392b5dce-285a-4851-829e-8d25b35ca717,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd5dd98d-31e2-442c-9c6f-acbec6bc643c,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f1165524-d0b6-4045-86a9-ef3f09ec58e6,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8596 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bc26350d-9f05-4e41-b4c8-6cb70f53226a,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,43189fdc-00bb-4f4b-9a72-b2ab87127d51,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6d756249-fb34-4785-b88e-7a8baa754697,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2cac5085-6db6-4a31-9421-0ea876242451,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a161bb94-31e2-42d0-b24e-9bf1c908ca34,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2140 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9bb7c552-c134-4dbe-8a1e-787c091d8604,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3104 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,52ef3313-7818-41ff-bde0-206706b95272,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0e7d87a-3393-4a70-83a6-fa3090a30a67,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8409e171-1ab8-4ac6-9a0a-63c26d78a85f,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f46ada4e-e3b3-48ad-82c3-3fcc84685825,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,02996683-06f1-47d1-9d76-c43d344bbaae,"4/16/2021, 8:41:46.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cf85d882-8c4e-4255-9368-b6f20a39d35c,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,429e8d0d-ea37-41ce-8358-ddb1c9cd85e0,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3908 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0daa8c5c-4299-4cf0-b533-cfc3679ab3cd,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a770e149-5fb6-407c-8837-3f00487732e0,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dde684aa-fc26-438d-b889-f61b0a786e6f,"4/16/2021, 8:41:46.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a2e27efe-0eff-40b8-a29f-1d571b939761,"4/16/2021, 8:41:46.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e4937c1c-ca8d-4ed3-bc0d-26ece936fad5,"4/16/2021, 8:41:46.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,da02359b-0309-4205-b7d0-077c889089fb,"4/16/2021, 8:41:46.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0a809339-6d85-4cef-abf0-b305566c6ddb,"4/16/2021, 8:41:46.740 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e3fe312-e996-47bf-b1ad-8d9147f22a07,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2668057-a0b9-4776-a42d-bc0643ad224a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58002fbc-eb9a-4a82-882d-2507df4ed690,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c9664e8-c8a0-4d4f-b02e-556f50433577,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20b7031a-6064-46f1-837c-a9e8e34a027a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,538b07d3-8d5e-4124-911d-c119a167d38e,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e9a69b-4f45-4b35-a4f6-5f01eac2fd49,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf6b49dd-0d9a-44eb-ab1b-cfb77d27142e,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6d78836-3eb8-4ba6-aaba-3392ed5dd57a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6128ad8a-e4d4-48a9-a552-4474fd5b1ff3,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,daf0b5eb-14f2-4b48-9b10-60137f46ea03,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c237986-d2a2-43ad-aaeb-3e8ec614cd47,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49901728-cca6-445f-b4e0-bf41a507faa2,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9aa5a32-007e-4d0b-b292-7d2e9986c78a,"4/16/2021, 8:43:57.599 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e57e91b-b8d9-49c0-9947-baa97fa45664,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f877d994-1508-447d-9013-b24f0ad10870,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8120eaa5-44ee-4884-9914-f9a8a82e066a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d11fae8-c56f-493c-8aea-ea59dde4e79a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f1041dd-5d18-4d67-9d60-756cf348a39e,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fe2589c-a043-4012-9355-f7b4cced03d6,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17bf6e14-754a-4fb0-a4ac-5418d78eb6f9,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,927a32ea-873e-447f-968f-826e13150c17,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73f1f811-681e-48da-91c4-7e000f8fc017,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b70d473-aeac-4df3-893b-7cc79c9c9fda,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8f0ff7f-cd33-47a0-bbb0-44dbe5bf81b3,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1453932a-0be9-4157-a226-45f22a692297,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d24a52ee-f730-4137-bee5-265a3805dad0,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e51a24c7-4de7-4aef-97a3-6d8b49379b7d,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1936d1de-dd0c-436f-8fcf-e27ba8b89f3c,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c5a0145-d905-4e7a-a204-a92deb553f45,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acd8d2d7-31dc-4f0d-b20c-7cd5f7e36d7a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a486669-e7b1-4167-9bfe-4e51deb7973f,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21f53b6e-f130-487a-bac0-be3f122c4d06,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3d3a175-b888-4f8f-8d80-110b0353bf61,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96995f76-48bb-46e3-8452-5288d9ef932a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e955a34c-12a5-419d-889e-294540b5abf4,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28eb572a-c7fd-4af4-9989-b277a43016c9,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5e11454-18eb-43b3-9221-5ad98507acc4,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71b01df9-3a63-4d07-b592-2364fb620f8a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,879c4062-1308-4f82-a245-c4f17aa39ff1,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18ebe6c1-6423-4711-8794-3aa90f691789,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2234d7f9-36f6-4f54-a890-fddb8ffe6b90,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\PLUTOS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b134018-d241-4c5b-8e7d-66cabdca8525,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ed3c876-a4ea-4c04-81c6-0833aa8ee3ac,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b0dcebf-ce60-4b6c-be4c-70479d8a3c4d,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,789bbb15-0dc7-49c3-82c6-917a961bfc1a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,616074d0-85a4-45d7-ab1f-cca8b50bbe5a,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15181b21-b64a-4915-a0c8-278090f90ee8,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ba6acd-fce4-47d5-8567-8088d2ec3d42,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df30d2f1-e17a-44f5-b043-80eaa21b7483,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b4c8661-bce3-4d2c-841f-09ea88f405d4,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c75ece2-7670-4254-9cb6-49184c5609f9,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be0fd07d-7a3b-4b25-bad0-206c7b28af5b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ea1dd25-3743-4210-aeb4-ff652f4837ad,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05340f77-261d-4b77-afad-31b54d28ef70,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61421d80-bc3e-4e65-adb1-4dd878521d5d,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cc990c8-99bc-4795-992b-9aabed40520b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96377107-7e72-4adb-b975-2c97a3092061,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91dfa193-f182-43e2-a75f-b5a3b4cd9ef9,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5f255ca-a9ae-439e-b76b-cbd833062e66,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,317eaa35-d8f6-4f9b-a41e-a13140f1978d,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33064ae1-0285-4034-a07f-1e554c995694,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a769178-25af-49ce-b0e9-753dd17fc915,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d9acb84-03aa-4f12-99f6-78e36bc28a1b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ce0d902-f57e-49c8-9dfc-d4ffaff5451b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22d4a5de-8467-4a7a-8d84-31ce4adf610a,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,39546c06-cbd3-4691-a887-824af677a472,"4/16/2021, 8:44:03.102 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,96407840-0f35-4d2e-be8f-b8b58434114d,"4/16/2021, 8:44:03.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df112b16-5471-4866-8af1-9ba2778118f9,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c9a568-035c-4e5b-af26-897f1ec62df1,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56577f36-ab2c-47f5-a677-7cbc99fb91fc,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be72ed72-4279-4382-be66-83ab475ebb8a,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eac20b04-ef03-4d99-b141-e639a20d0487,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16904d6a-92c4-4a9d-8311-fe0e617f31c1,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43ab5c55-0dc8-43c1-b106-4a1a0476cd6f,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05ca6827-608b-48a9-a7b4-83655295dcfa,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90ae7dbf-4d3d-4fe1-b391-505a71a4bfab,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,977cab78-fea8-412e-abfc-81a0b2568247,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52e9da79-ab7a-4484-949d-26a0651b26a1,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02b26ee9-06f2-4abc-ad10-7110573b305b,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6257f60-98ff-43ff-b273-51a930ab6ae5,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3cc7428-583b-4d12-91e4-30a358afd066,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,978934bb-1d9e-47d2-9b73-63e8846ba88e,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90717d6e-6dd4-4f69-b81e-f41669faf221,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c3fae29-63e6-444c-b96c-727378c9c31c,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1abf6fbe-fceb-4665-b36a-d18672584556,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fde35bff-78ae-44a6-96da-a2233d45fb47,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f5b205-0b7a-4bab-8c25-5fc5fb58e0ce,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a51fbcb-3492-4ab6-bf8b-1c4f9f2daa29,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e08222fe-9b00-4bbd-90bf-6d1b65a358e4,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e559e1ab-8ce0-49dc-bc97-44cecc20cd67,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,257b25e4-6153-4d8f-bf40-dbf972105fa3,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28ebd8f4-4f8e-4c77-ab2d-f64ee6c92055,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a64d8ef-9e8d-4a63-b56c-6b92c501dbc7,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac35b61f-06da-4e4d-a7e2-cc2364d5fa5a,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a41a6bcc-e80c-4d7a-a7a0-ea2716f99794,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10392 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9858dc59-a710-48d3-971a-2f9b1f1a6680,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,038743f0-cd1b-45f5-b413-f85c24e3ecb3,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cbb8d953-e692-4cf7-bd4f-497e3078e1e8,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4352 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b2b04af4-0d40-4f55-94ea-a5bc71540bbe,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0efb889c-f2de-42ed-81af-348161f57b15,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10156 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2538703a-981c-4cf4-a4f8-17a2f6f05ce8,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7340 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,04d11709-c61e-4b44-8d9f-cc2e6f9f89c1,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,df00ed12-de02-460f-ab89-b9abce20d9af,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9aab58ef-90d3-4464-9347-22333f0488bf,"4/16/2021, 8:44:45.540 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,09881c63-2a97-4e59-ac41-cd31a334f802,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8553d675-5d3e-4cb4-922e-0584f1c67795,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,97c83361-a131-4ff3-8be0-f71ff6d632a2,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cf1f5721-589d-4c88-8ea8-55b3be9b46c8,"4/16/2021, 8:41:53.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,8e225a2c-b343-483d-9d2a-873e6031cff6,"4/16/2021, 8:41:53.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fbbc5cd9-576d-4b57-9220-daeee7d204f8,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9ed2539d-7d80-4bd8-8506-d59b8d4c33f1,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13180a6f-24c3-481a-ac75-468ebc86731a,"4/16/2021, 8:41:53.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,587301ee-2e81-459b-a5dc-d41197dc885d,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eef6fabe-0bdb-475a-93ad-d68d57144214,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d36901b-0e09-4395-8add-a4cf971fc497,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,482f097f-0a8d-499b-abaa-2e9564939d06,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd91db20-2b00-4afa-a233-792bc72d9b67,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89d88c71-99c6-4681-a44a-c9212087eca6,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb2721b5-7644-4ab2-b54e-b431856cf706,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43b17e7-8a0c-4e01-8732-414cdefd807d,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f2875d2-a555-46d5-b2af-8521032a05ce,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ca9cb1f-9001-4cc9-8c3a-388e498d5d87,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2555132c-83da-4401-aa9b-3338577ff2a0,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,270d1da3-b318-4313-9764-0ed8cf4214fa,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4c9e3b-7744-4e6b-bd2f-ee63e026132c,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bbdb490-3e9b-4c1b-addf-000b23056ba3,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e875046-9b24-42bc-9148-61bb2539b4e2,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e9d5d86-9a22-4337-ae03-5d4775ddccef,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aba1d71d-5d91-4023-bca3-4cc51c51f655,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb91449-29cf-404c-8da0-afb6036aafb0,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e250a56b-a2b5-4606-9581-3b11d099eaea,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5270f476-6cee-4cdb-af20-6c1bf4d4fa48,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee3a50a-a226-4c94-a33d-7fe690632091,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,698009ec-d581-4c04-977c-b9ee91683a29,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de94016-f033-47f1-87e5-678e52db5441,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,854aaed8-fd87-4b98-8aae-33e0e46e79ed,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23830434-2b8d-4395-b48c-33517cbaf248,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff3a00a-83f8-4f21-89a8-8fdcba31f0d0,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ebcee10-167d-46d4-a6a9-2de893e79e67,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea481651-4faa-442c-a222-acb9d990c2d3,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e31d857-db41-4217-811a-fa93039fa006,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ae37e8-a16a-49ae-b241-9f20a9d093c7,"4/16/2021, 8:41:53.167 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,38020053-3670-4cc5-bbb9-db0bcecaff28,"4/16/2021, 8:41:53.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1ea86ae-9b72-4bf3-ac8d-89fdeabb8d2c,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,763b3519-29bc-41a8-aba6-8205fa2f4a2c,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6596 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc5716ad-7c87-4b5c-a683-dfef38c981d1,"4/16/2021, 8:41:53.167 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7784 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ac8e45f-9194-4de4-ab4e-5bea00faed53,"4/16/2021, 8:41:53.167 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6296 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,59756055-5432-4f11-a2b6-d7c3e40d4185,"4/16/2021, 8:41:53.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4c680ba-83b1-47a9-af47-b3dddf3e49e3,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,32bf7be6-b18f-4ef6-8df1-a75ae0e5077f,"4/16/2021, 8:41:53.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09862994-ce52-4eee-8303-2fd9f320c1c3,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3b2249-84ff-4346-9c16-73fbb8107f87,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea862a97-5c0b-49da-b76b-dc99efdc0a90,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da4b4f69-0611-4964-ad27-953771cc9e38,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4508e173-a3f8-441e-8949-9783fbdaabc4,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e838437d-88ba-4757-8bd0-8a0d12f6e3be,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b832b038-d81c-4279-9662-ea3a83ec5629,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4f57caf-9871-4f72-b41e-d9eb09ad1294,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c2ba07-bc42-4f41-aad7-9ecd8ac52a44,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faf38be4-8db1-4555-996a-61e58972a119,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bb05e68-191a-4e40-8d26-a735484f17de,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e152be2-bf4e-46b2-aa91-a9b854f68509,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59d5bb2-6507-4b73-9a9f-931f7a305696,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5edbe3-a754-4449-b7c6-bc3bd329079d,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d644c0a-d15a-4b4d-a199-b8a589087992,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5865621f-23ff-40f9-be52-a36600b55451,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,729f86db-91eb-4da0-8f48-ae4c4f14ba42,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52341dc3-85ee-40c6-8a8c-fd26094a83e4,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd833c2a-3110-4408-b1eb-83b3aa9ab9d1,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20ee6e65-2279-44b6-b1e1-a14b20d0a376,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea0a0b30-d67d-4ff0-8d49-5e465718bfce,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26f27932-4648-40db-a557-3ea03180380b,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7150bc0-c083-4c86-83a4-39c2d0aefe1d,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6823dc5-0e31-4075-9aac-83790c7cffb5,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfcffce6-5518-47d8-82e0-55ef2c811ae8,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10bbb4f2-46c4-4c0c-85c9-c296ef9813bf,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,328f9a65-802b-406b-9b53-07f7ad1098ef,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83c50c05-b7fb-495c-b0b2-7758e0c81111,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e83494ee-9b2f-4c05-b5f4-6b10f309081a,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aca7107-875b-4150-8444-1c1986680fa3,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c6934d9-89f9-4d40-bdb5-cc067c14d2b6,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07460ac0-8392-47be-8810-489d06fdf5d9,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1198445-44d5-4cc8-90b3-0a991336ae7c,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,034b4b79-65b5-4470-8c3a-57ca97151fb5,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f716a9b0-288a-4326-a9d9-9143a9e85017,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0516f38d-865e-4d2a-afff-87e413702454,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4ca3c3f-2391-48cf-801e-ade40bc1fc01,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c02634d-1c31-4911-a27f-cb0b5f94bf5e,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c03aa4-7fe0-4646-8563-8ebb0c5096a7,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7639648-a643-466b-93a9-f0c8b02d7dcb,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2779fd64-1a41-4ae7-8963-70258429259d,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8a5cf9d-ab61-41b3-84ad-8072546fe109,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1938c5c-6502-4926-812e-3504e1457681,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,696a6c69-71e9-442f-98e6-99bdc8bad5aa,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf376c3-c9a2-4372-98a8-dd421be68f42,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c1c5f0a-69b0-4c8d-b82a-c0a6937bb4a3,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e06be9da-927a-4c2c-8307-fffcc3ba5a89,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ee4f242-8e2b-46c9-881e-c8d9f8465db1,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b81f7fe7-c427-47a4-bffa-ebdfba0b38bb,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85fdee5e-d2cb-4643-b7f0-3b5366f6d67e,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f98c476-c479-462d-8244-5daeb520b61d,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fb99e52-7f3e-40f3-81c5-be6a9bce0b05,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a183ff-dc99-4943-b70e-a9d7ba687fd2,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693ffa2d-4ecf-44a2-b2dd-47a1a30a3173,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f1af015-7aaa-4253-b3ee-18bd4ecc0c04,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de810de2-c489-4d9c-8cfa-29f5c087d76f,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61374246-bc9b-4f06-a176-50a7f9055de3,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93293108-0206-4f65-b7e3-93eb963726b7,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3139b3f0-09b5-410d-baa9-644a0a616507,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0747a2f-7ace-4a6e-b6ac-67f7cf8370aa,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e3c242-c864-4e5f-8361-63169cfe6216,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5e3c34-d0a6-4a6b-a9c6-f41fcd9caae7,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0aea507-5a20-43c3-b564-15bc8ea3d91d,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e938bedb-b561-4509-859b-6de8c6a50478,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4859ba4-8696-4d90-8d8b-0bd66f4e87ca,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85d7d242-c0da-406e-8d82-0834a1c0cb26,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5481a453-4fa0-48de-8f26-8f7aaf2016ed,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ce404c-cff9-4617-ab8f-22ed66d9edb5,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba40dc0-accc-45a1-b760-513de5b09a85,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,744e643c-d1f9-4f2d-99c6-8de7aaaea608,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,835b4bcc-f4e9-4145-a3b7-bfada889e2ca,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fccae4f-380d-4105-80fe-18cdc1f09398,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a77c5b1-1d0c-4401-bb09-64ee57605a39,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8d1ef9-1d93-4045-af78-80bbaa83c077,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ca80e82-f214-462e-a65a-3b3a5173afaa,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b89eef7-1996-4f79-b936-43b6187e4bb1,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8f252ad-5aad-4359-a1d8-26d3f1daea71,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,612d99c5-b527-4b66-b9c7-5573ca072d3f,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86342f11-4f3e-4091-a063-0455935e79f0,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2fce074-4702-4ced-b3c4-7e2c58d4b0af,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,932c1ddd-b53f-4524-9b7a-a5af99ecbd33,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77bf150a-907c-4f0e-a7af-b00a0ece9e35,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bf5ec10-cd43-4370-8d8a-313f714a941c,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18525f0b-a785-437e-974a-6981d98dd39e,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1536b37-275e-4a87-a030-85a930498fa0,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +\USER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b230f328-edbe-4af4-9aa6-e43940986c53,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6b838dd-6836-4517-8497-e18f948fb79f,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,31d1fdd5-c188-490b-96b8-58e23f2fae4c,"4/16/2021, 8:43:19.415 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,958afe3c-2afb-44d3-82b3-0d2e0d06484f,"4/16/2021, 8:43:19.415 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3344 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d5b76e9e-921f-46e7-a340-842245ca725e,"4/16/2021, 8:43:19.415 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 788 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,04b8e963-3752-4bc1-bfbf-0503e8c41c16,"4/16/2021, 8:43:19.415 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,44c53f1a-f056-4972-9e26-ce9978478471,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b79eaa79-1646-4540-be3c-13d345aff623,"4/16/2021, 8:43:19.415 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54ccfe68-c65d-4de7-be76-18466ceab217,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\WRADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ce70b0-7161-4a4d-8cc6-15945eea3266,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b845d613-3bde-4f27-be15-22ad5b40d6be,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c66b1051-8bd1-4196-aba7-50b17844b171,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6747db2a-8933-4c16-bbf8-77cd5a5fbc52,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb3e0b54-e671-40db-a8a8-b5ba39363655,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93a3fa03-8c27-4207-9757-5b14619f3e68,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fabaa51-1fa9-41a7-9f76-bb1b75fcac3a,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1da7953-9609-46ed-8e99-61b36171cf54,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,127c28d7-9096-43ba-9b41-8df1469161fc,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b05b301-cfef-4beb-986d-fa36d4f5836a,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a885c3f9-5948-4bf4-bfdf-95597e57d349,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a7c7a9f-55b2-4985-9bd0-621b2a27e9d6,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd0e8c8-f918-4e04-978c-3bc7ac39eea6,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ff8db6b-b3db-4208-8892-c9ccf2b64728,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1de2cd49-129f-487e-8ec8-5b9323e6e685,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb37d770-c2b6-4aa3-ac91-e66ff04cc884,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0d47baf-d935-4a57-9e3c-fd123053bc99,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bffbe9f-76be-4b0a-9946-06049a585459,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7206191b-78f9-4040-9038-068f8bf7b469,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,554b16e3-76ea-4bb3-8607-7313afe0094f,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,353836b5-a7a0-4a71-9198-c1dedf3f7998,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f25f3e50-a61a-4c21-af28-112f4344e06a,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,857bcf9e-6aa0-4dc2-857a-cc06b0555515,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f6852d-5d7e-48ee-bc87-6e599926ce1e,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3288 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,81ed2aa5-2b6f-4600-a970-38080d648890,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1596 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,acf1f94a-ba63-4b2b-907d-3b3543892eac,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11888 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1fd12977-791b-4be7-afa6-646bc8d68d91,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11844 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3854416e-3eb2-494e-ac4f-9cb54840c16d,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11040 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,06c26ddc-bc75-4f84-8b5a-70bdc079cdcf,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a58491d9-ef8a-4515-9277-6de9881725eb,"4/16/2021, 8:41:57.078 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fb90d0d-0cbb-4493-81e6-63ca1b8bb2f1,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db211e03-6c06-41d7-9dd7-27c991781d1d,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0ef1c05-4daf-46f1-89ec-d952968f5cf9,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6464917f-5309-468c-89a4-7fb6dfd87675,"4/16/2021, 8:42:02.600 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,615f387b-f329-48d3-92af-44d65daaeacc,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7b73389-6592-4974-a512-be412d589937,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f8aaaa0-52e2-4457-8d4b-6e2a82c9dcd3,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1571021-d337-4cd0-9eda-a643a1398456,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68c6cd39-8b25-474e-8f6a-35dee299a2a9,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e095e28b-d925-4776-8501-830d77bac8c6,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e04f2c4-5416-41dc-a8e4-ddc24c0275f5,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a27c0a5e-a9d3-4eb4-9bde-a2392ffd1730,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d964d87-dcce-4b40-944e-3040f2b859d0,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fab2b406-9373-4e13-9acd-2dfd7b7e3f3b,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f38cffd-be2e-49c6-9a88-7d111e39c245,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97fe3cf3-85e6-423c-88d5-815e0e67a62b,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebabc5c7-10d9-403c-9567-576c9fdfff5a,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\CUSTOMERSERVICE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8e1a0c1-e847-4b32-b2e9-3acbc4e5a154,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35065ac3-9311-44db-b5e0-b84d9d4698e9,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af3a9f7f-2e75-41de-bdb2-fd4736483320,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\ACC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f49c992e-2099-43b1-b0ce-f9f8549b4b41,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7752861f-f656-45df-be51-5109dc01f04a,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e48fa2f0-f810-4e00-a3f4-7350eb5ecdce,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56785a86-b27e-42c7-b52f-5b37396facbe,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e34bf02-bd8e-4363-b093-1ec946abd8fe,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee967845-cad1-4da0-81d4-8ba5ddd4f6b1,"4/16/2021, 8:42:02.600 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6c5c50d1-0580-4b11-93a1-52131124a436,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4073946-1ec6-48ca-b5ac-c79cefc2321b,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bd8da57a-bd07-4e24-9f53-335bf9e2401b,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d29c69e-d14b-452d-a54f-c1e8bd2cce98,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41dcda9e-58b0-4588-a3bd-d58d780e75d8,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c6149040-c1cf-4a8a-9054-d1065b00cc5d,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d605c2e3-c33b-4701-a6f0-471ba0c0ff4c,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ab2c1ae0-6ca0-4f99-9947-93351538efc7,"4/16/2021, 8:43:36.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,098d57da-2848-4892-bf46-0bb52de53724,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,374d62ab-f571-4227-9037-ce23505a175b,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1716f3b-a3eb-461d-9ca0-30c089406766,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f60284fe-8cb7-4bf6-b93d-fed0b6243b7f,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,877350df-f530-48f3-8b43-9f836b519958,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba7f385-0aee-4ea7-ae14-e21bf684f100,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,473bc8cf-4068-4e86-b428-2723f587d18a,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eecdfd0-dc7a-4ff6-b1b7-6f9fa0ad8294,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69d8924d-959a-47ca-8930-ff9812c8fa46,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20aa8278-7f6c-4387-8595-71f9b3d95af7,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be2375ee-6b87-4165-9d36-3452ed9cb43e,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77d08740-415a-4a99-bc2c-f76178735553,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a88feb7b-6594-4539-9975-fc9dd0af3c24,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c5bd14-ae63-4b0b-8e3e-4241019eb414,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9cec883-4606-4c4d-9293-ea06f834aea3,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37f50143-c5f4-442e-92fe-916bb8ffb4a2,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97c4960-244a-494f-9cb3-3835870c5ae2,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e05b5500-1262-4523-b4f8-ba5ef0f81d54,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05c1cf67-f2c7-4673-88e8-4bbd4a52e682,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a52e390-f879-40ba-9361-63509521b999,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7681752-2ac8-46d4-809b-ec3ff482dfce,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4de372a5-da33-49cd-ba6e-216f2080550b,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f50835a-0e3a-46e0-a4b7-0b1061196f97,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d643ca6-4add-4fe8-a494-2c62cd8c49c7,"4/16/2021, 8:43:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,63ef03da-d4f7-4c42-80e8-eed1157644b1,"4/16/2021, 8:43:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,0fc39054-6335-4c5a-b9f4-980dc3746960,"4/16/2021, 8:43:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\WindowsUpdate\Scheduled Start + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>Microsoft Corporation.</Source> <Author>Microsoft Corporation.</Author> <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description> <URI>\Microsoft\Windows\WindowsUpdate\Scheduled Start</URI> <SecurityDescriptor>D:(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FA;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2021-04-16T18:39:04Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1M</RandomDelay> </TimeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>ConsoleDisconnect</StateChange> </SessionStateChangeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>RemoteDisconnect</StateChange> </SessionStateChangeTrigger> <WnfStateChangeTrigger> <Enabled>false</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <RunLevel>LeastPrivilege</RunLevel> <UserId>NT AUTHORITY\SYSTEM</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>C:\WINDOWS\system32\sc.exe</Command> <Arguments>start wuauserv</Arguments> </Exec> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,794e2b45-393f-4eb8-98e2-86fc9872562b,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6c090c74-e640-4448-8035-1a0a12ff8745,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3421c599-6b81-4996-acd9-238de7aeb8de,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b1b39702-15b8-4f90-9bab-1af8d23abedc,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14012868-03d3-4c94-9c92-ea1739b2f287,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,384e6b1a-af4f-4016-98c2-9534adfef188,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e60d2b43-ec69-4995-b6e1-69dec8860187,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60b65e37-cc6f-4c90-8586-8053ffa1bb76,"4/16/2021, 8:43:03.052 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81f3e88a-124b-4ea3-b99d-f23c119c10c9,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc4cdb69-1ffc-40f0-b3e2-b9c9631ddc64,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88030631-8821-4d4c-8540-4f6bedf30ee8,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,57dedfa2-4ea1-46e2-9d04-2b4b964de0f6,"4/16/2021, 8:44:22.104 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,96a97f8a-1094-4c7f-b4e5-170047aa284b,"4/16/2021, 8:44:22.104 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dc6e8fa-fa82-4d0f-8a12-0fceb6230d15,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06671137-d22c-4e7b-beba-52cf02d5eb48,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3002beb7-b1c6-401e-bde5-1c7cac574944,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,37a95af2-1cf3-4230-99f4-7a5b844278af,"4/16/2021, 8:44:22.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4748 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,33da8809-050f-4284-8153-2b8705266d77,"4/16/2021, 8:44:22.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55892456-852d-478e-b766-596be40812ce,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b76eff4-3d04-44e1-8110-636b2f5fa8f8,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c240a54e-1439-4b5e-8ce0-d774c26a3be9,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46d65e32-ebf0-4bfc-9305-35c56b26b731,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57fd173d-8b9f-4ded-855b-00683a264efd,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,104ed79e-a45d-42ed-806d-97b1fa871ccb,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d5550b6-1e4c-4d9a-9e77-e3795312cb7f,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15e8ea1b-5b35-48ef-af7d-03274a4209b8,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bac65d63-09ad-4ae2-a3cf-c4f237874484,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce486a59-9046-4cc0-89b4-1c4468a91584,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6284cf6f-842b-43ed-b326-82bc3c5e2a9d,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17615b83-fd47-4837-af25-a8f69706d802,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,907841c6-50db-498e-ab8b-4d3091e5ae4c,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62fd76b9-897d-422a-b812-4d3b49f177c9,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1740 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a7ea80b8-636d-45fd-a398-c50cda8f4dea,"4/16/2021, 8:42:09.852 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1776 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,20270f98-e0a6-4f4c-82f4-230b4de67fed,"4/16/2021, 8:42:09.852 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,541b1937-0982-441f-821e-1d4d367555bd,"4/16/2021, 8:42:09.852 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,efd99710-5b30-4000-a7d3-5210a84ffd38,"4/16/2021, 8:42:09.852 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2943ab24-b818-4a5e-a201-8dff66d2ce4e,"4/16/2021, 8:42:09.852 AM",,,,,,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,29084632-1968-4bdd-8cb2-88c65c12135c,"4/16/2021, 8:50:27.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6560 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2918b68a-1cb6-4884-a79c-54565aa80a57,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7c019483-968c-4424-ae52-dc53e01bda32,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,563cace2-c2dd-4371-92ae-f86e5e292fed,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1ed4bd8-9524-444c-bd58-0316e628edb4,"4/16/2021, 8:50:27.414 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3992bbe-341f-469c-a33c-e141ff8336b5,"4/16/2021, 8:50:27.414 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f7240761-7316-4b3a-8936-ba1e574a51e6,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71806d5e-3239-4f52-b6bc-8763727e348b,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3804 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a2798a24-2bd2-4c34-b616-43715f04d5cd,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b879add5-b7bc-4b87-83f8-62c895b3e367,"4/16/2021, 8:50:27.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b8c0c916-c73c-4a29-aacb-dfdd5631ffe2,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2f241feb-4731-4da2-a57e-32f554aaa257,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,05af7800-661a-4f36-8347-bdb1023b990c,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 752 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\Windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fba7bbd0-c862-4dc8-9b11-105b8e098c24,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 3352 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c78717f8-5bd3-4637-9217-22fd4de52ece,"4/16/2021, 8:50:27.414 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c495cd14-fefb-4914-bd95-7b14b5eefcd9,"4/16/2021, 8:50:27.414 AM",,,,,NTLM,, +\LAB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7685f8d-d768-4796-8046-1202694b166a,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d00c535-50e4-48c7-b953-5604d6994e68,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a38ca990-b1dd-44ef-95b3-f4bb78652a91,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e9ab3b9-5647-4a84-ac21-b67f5af4986f,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b8d800c-14c7-44b3-ac85-caeed1faff5f,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,426e3cea-d3e6-4e44-ade0-5ab6b2128396,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7e8035f-3c24-4536-8d10-08d9ab233874,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c995e9f-92a7-4922-9d17-8c2cff46891c,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b4baaf3-2214-4bd0-83d6-3a1a2bca0f32,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d52e270e-eeb0-4cd4-9e5b-0b064bdf08f4,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecb2e9ff-aad9-4b0d-849a-e87c17183cc6,"4/16/2021, 8:43:00.599 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a2ffb7-6abb-4b1b-8f44-0458f6706ffc,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,990b213f-5ce1-442c-b76d-d90c4463e7be,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f145f3ee-3254-403e-823d-0e78d9dd3189,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bab927df-eec9-4b9e-8178-8bec73b7fe71,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de01a33b-cdfd-44d4-a601-e41c83ca320a,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8dffbd4-9a6b-4ff8-b91a-54b085c61e91,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc4b87fe-d455-49e3-bdd6-e9366d262f4d,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fa601c3-e982-4ae1-892e-33e650e8597b,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3c33a68-65df-4e02-963f-24a24ed57300,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99e4aa19-dd73-4776-a212-43d10142af79,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,410892f2-a2a2-434b-9ea1-04d7e03c274c,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ca0f60c-8201-4e40-80d9-1088fc38ca9f,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,488a34e7-38ab-4ecb-b95c-bdedaac93901,"4/16/2021, 8:42:11.538 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9252 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb72b9c6-34c5-47f4-9c45-2e0eb097f98b,"4/16/2021, 8:42:11.538 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b8329bdb-2752-4923-afa7-9fd42ee23be6,"4/16/2021, 8:42:11.538 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4bce80d4-e2a2-4790-b3f3-c198e93a8252,"4/16/2021, 8:42:11.538 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,df0c96f8-6189-4081-8888-0da540f9cfc9,"4/16/2021, 8:42:11.538 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6161ba09-97a9-4665-9e7c-d3b198134ed8,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974c8dcd-ef28-4095-bdb6-09cf7655a54e,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852872bc-888e-4011-b8d7-e88aba1c1b10,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64ef818-4bc8-4394-8459-44520b860fc0,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe55429e-e5ce-4fdb-ab96-e9ebf73a3ff0,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8b5599f-a801-4e2b-82d4-b435f19c57eb,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b6941f6-0749-4a5a-bbb4-20964010c128,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,365b9409-a22d-41df-9636-a16c449bac02,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115f48fb-a36d-4535-b212-a44b27039093,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46316c3e-af94-46f5-a797-d0a42ea4349f,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70235bd5-aad3-4778-9695-f49b85e71ee3,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8269b621-9abd-4446-a26f-5fc614503b3e,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98878809-7985-4a19-8765-c89a4f3c638c,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d9caf86-9d95-40a6-b660-7ef6ed04bfbc,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a320c1-ca72-4517-b5cc-c87dd16e6239,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce660012-1cd2-4fe6-bba8-4803d661bbe7,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f2dde4-8178-4429-9893-bc4eb11a1e66,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\CONTADOR2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9057728b-00e5-4b19-bc1e-5753d6db64a8,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b970f3d-9396-4425-b96a-d03b58677625,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a70a0dc-5751-47b6-a2b9-0ae543a9d7ca,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df9a9dce-d247-4f5b-9d11-d592345d6cad,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d862dd2-a31b-46c6-9543-4a8058f7be67,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5381cfb4-443a-43cc-8324-dc32a568c7e9,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58a76075-15d5-43d7-8550-27c24abe2418,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98947387-83a5-459e-8261-dedfbf002cb2,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eec89c9-2952-4909-920c-c057a9c90d36,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d220f4b8-a12c-47ac-94ee-32fc51f2ee53,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba828f5c-918e-4636-84ee-3b79de605eff,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a13f22c-aa0e-40f7-b876-4fd1550f2e33,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fd794cc-f2d0-48eb-ae14-965228ea34e2,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a1885c-7cfc-4f0c-8a01-3e9ae24079ac,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ececac89-a31d-45af-bebc-b4e4afb4d547,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48969665-f96e-4948-a378-aec8495a0725,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b7808f5-8e8d-497f-9b7d-19c6328c9562,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ca771b8-eaf2-407e-bd18-5750dade938e,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c0d2e0d-a0ba-4bb1-8423-9da8cb9a6a87,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbddc0ac-b012-48b5-bd08-d2366278267f,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13223f50-82b3-4470-b5c7-be4157f25df9,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebf4f377-81b5-41bc-aa76-9f8b38b2541b,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08f7210c-dd3b-41cc-af0b-ec9596b67e4b,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aa3d14f-7862-40ac-8e96-d66a179e18e6,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0878b2b5-080f-4c5a-bb78-b7422210b4d6,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee21c2e3-184e-409e-abf4-5a1249c066a4,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be3a9aaa-8397-4a6a-9c40-a04d44c74b38,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4c72b8f-cc57-4c3a-aeba-b08678441d3b,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df6ab38d-a87d-4b09-9d87-b3098afcebbe,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2db089e-9560-4786-b88e-e5b4b66031a2,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5e517d-fcfb-422f-99d8-6ab1ef72dd03,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f217fa6-b82d-4d80-a695-8781e3aabd43,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\AGUSTROM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e6832c6-b3a7-43a1-9931-901939fac3dd,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7617322e-d383-4d63-b262-f5968fde8cac,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e964828a-be04-4937-a9d4-6993f0fbdcdf,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,006441cf-7094-46ab-96c4-c933eca4b258,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49274841-7115-474b-bf5e-788f7c1fbc23,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ceb561-32ed-4870-bc4e-00f69d204731,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e1b5467-8c18-4620-807d-4deb061ed881,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d823849-dd54-4cfc-b0b4-27a1f2f1086e,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd95708c-eed2-4064-b07a-6d528399f65c,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd564d26-8d41-4cad-8e69-54be7db67bae,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e5d6a37-d9b6-47f8-b683-17a2301e68ca,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\COMPUTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,039c0a67-f208-4b73-aa59-1bba0ee21f9a,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,237a8146-fa0e-420d-9a51-3f3abc0183d5,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2250c355-02d9-4bbe-9d85-7eb5241e30cd,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d64155e-592a-4eb3-9cf9-7251a38811fd,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bbda385-58b2-4155-9e56-7b1779ee37d3,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d204ff3-4ce9-405a-aa1a-4cf03395f145,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3e205f0-7bbb-4359-a324-ff4c6ce75184,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfc0fe58-f99b-42e1-afa0-9af735a91a74,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03e4fb09-ba03-4c9a-b6fc-aca2ad173d5f,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d487dad-e2fb-424d-bb0c-c18151998996,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20cabcb7-91cc-4b5c-9e27-095d6f2b94a0,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcac6206-3d96-46f0-b2e0-f2c5b755b8de,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8215c9bc-60c2-4e7a-b8b9-214433bad5d4,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,453ccad0-85b4-402b-a26e-73e6702af10c,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f36d816-e18a-491c-8f0f-f094544b1af0,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a276ea3-51a5-4c5f-bdb3-6b130eba1483,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1b73638-c1bc-485b-ab40-04ee50b9b681,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,553c5471-4ec7-409b-88a6-cce9283da5ae,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a63644a5-ed89-4910-bcad-607dd9922334,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64e08ccd-b69b-4148-97a4-1b0c25cb90dd,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b90b5ff-3b31-4e56-8f89-9bca2bd334d4,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fdfd8af-963a-4b63-83ba-aadfcb88c91f,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e655822b-6e4e-444a-9d45-c85fff1f6399,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ba204e-4e16-4629-8ee9-a2c279577704,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7135213-e861-43f7-8704-4b7f4f755f2a,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6300dccb-71a2-48ad-8a53-7caa2fdc0b0d,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e91450c6-f82d-4c5c-ba5e-d09d4d7f8994,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60b8ceef-f568-4d3e-8d18-0a343c209c4c,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d49fe07-5912-4fa3-9d56-43669c0c1ed6,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0979d7d6-f029-4b84-a420-b218e13618f2,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,deeb4adf-9e7f-4128-bd9e-43d9587b8653,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38f0747b-8bde-4c08-a88a-dfba542b463e,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,279fd04a-e387-44a4-bd11-7fd62025f890,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f4b4f85-3cd1-4739-a579-955188760d8c,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e47a71ff-18e5-4368-ab81-87a88d9ec51a,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b92f44b-90d1-4901-976e-1111ee0d6781,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,413008f2-db6e-4d74-bd21-ee3357e67be6,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e26a46d-6be0-4e66-8e63-e96c448ce338,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df8a9afa-e110-418c-9ec5-f10db20d0819,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e153fbad-8748-4f46-b55d-9e855e1f6b52,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f9250ed-1ad7-401a-881d-63a950c614ac,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7caeda1-4956-4808-ba85-6a4aefb5e226,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aebdb2fc-8fef-4c3f-beb7-867339a7ea5f,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,537f3021-7ad6-4eba-bacc-e2170a8357f1,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c430596-6552-48dc-8c30-56b1484280ed,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46513e30-2293-45c1-bbd1-27b961cc15d7,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee39ab3c-c418-4784-a917-b0e0e35523f9,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5616b31-d61f-417c-9b3a-f2cd072eab40,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fd25fbd-c69b-4a3e-a5c2-4013aa290cf7,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f33072b-7e11-428b-af14-ca00996c8416,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ace8ed97-7974-4921-94fe-9c70934e07b7,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3325d402-ce75-44f1-8d74-3375303eced5,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,665def06-99b5-4996-a30c-eed6c0b5d398,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba3b7b3-6234-4827-b385-02073e9271c9,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f68c264d-7f1e-442f-9482-c5f599cdfa24,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78de1b8-7ed5-499b-a1e6-4cf7cd93d92a,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8e55272-5e00-4ac3-a481-544006310122,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7bc6238-ec9a-45d7-8c2c-931985f2d557,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98a43bc2-b78a-4efd-a964-390b7f74f48a,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,257bfead-b1b8-4376-828c-4d1a7a982936,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f147fda6-cae0-4c37-845e-3867d18c0e4a,"4/16/2021, 8:42:17.444 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c5919e2-3354-4987-b088-0e675d8f768c,"4/16/2021, 8:42:17.444 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,277a63ca-fd71-4ae7-b10c-55915afefe68,"4/16/2021, 8:42:17.444 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9ba428df-f14b-46a1-b20d-6f6d49d1de3d,"4/16/2021, 8:42:17.444 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f0a73981-b6c0-4a6b-8e7b-f6e4c5dcc8e2,"4/16/2021, 8:42:17.444 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 932 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c534bf82-1caf-4c32-9ecc-defc225496d1,"4/16/2021, 8:42:17.444 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ab397089-5e17-4849-bf38-4908e9436c7b,"4/16/2021, 8:42:17.444 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9559721-7051-402a-9176-f9b3bdb77656,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2786128b-5cc6-4e93-b5cd-b513398cc6ce,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f3cdb10-ed75-46c7-a315-bd1698408883,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5fab10e-7838-41fe-92ce-228abcffb52a,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1d4d52-c125-467e-a8a1-a51b8ee21188,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea822ed5-a4cd-4da6-bfde-c37aee5d08e1,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1251210-f590-4dd4-8fa3-6d3b4ab7dfb8,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c64124b4-2223-4b76-a1a5-c29d1e52a98d,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e18134ee-0d03-4e7a-84c0-c415835eb38b,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21def242-37e5-47ce-aead-744808e791d2,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,066b02c5-70b9-4a29-b2e5-db63589c1b27,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92e5e45f-39f1-4d25-99fa-ed8b745e6a6b,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f172d1-6774-495b-ae2c-2ea4912f12a1,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ae413f6-3476-4d70-b04c-a7b58d49e1d2,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4b2cc1-0641-4cf8-8d7a-406a8cb502ae,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b594c078-b24c-4a28-a5bc-02b0f4652a7d,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcbcd51f-fb71-4830-ae5d-6e3ef58d91d3,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28aa7208-1d38-4b26-9a26-ebcbd83e000e,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ebfe1c1-82c3-408d-8f3b-7de8ab5ebabd,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f303dcf7-f730-4297-a7b5-976126da4802,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fc44ce7-fa6a-46bb-b898-df67f024aca6,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,252658c3-53ac-449e-a117-ea16f472c82e,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4772c7dc-0598-4a3b-bb97-3ae7c46b76e0,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da444c41-eb37-4ea7-b4a3-04769b7a6114,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,332ce0c3-802d-4d2f-915c-eac370668303,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cae4240b-df21-4faa-9499-396f6d35a695,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a962f096-8e94-416c-bcc9-64d53afb5189,"4/16/2021, 8:49:44.875 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9a720c6-d436-4e33-9def-8af1ea6da617,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,732d4885-af3c-4de8-b470-ba44a0844adf,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d51ce78-7944-4b45-995c-e007dd44091a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,373208f1-2210-4b47-85d9-15cfc2c7d5a3,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b3a6e1d-d9b2-46af-9869-dfb4ab87ab02,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06afdb5b-0842-4b56-b5d7-149781cd2e91,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f91a8ebe-85e8-4038-b803-e7b4e790d079,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,498dcd8a-ce81-438c-b969-21d522da2adb,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ccc907b-9ebb-4bf8-83ce-dee604e2541b,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7820116e-a4f4-4370-bb16-ca84fb908876,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dee409e2-5827-4326-b346-00107856849f,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2776bed-d3d6-49ae-b93b-884b94686de7,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5c34f6e-ecfd-47d3-89bc-a711c23b75d0,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64f85e11-ee5e-4e7b-9dfc-8785256adb76,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,999a5598-59f3-42fa-af59-6835b0fd149a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1ab1f1c-d140-46bc-b3e4-b7434b7547dc,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,858f7303-d173-4721-a306-81dfb049dc8a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0562585-1a41-4905-8bb6-46f216df001a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f993c1a9-e594-4c86-bccd-11927873d77e,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fab3b39-1268-47cb-8a36-784dc8906e19,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68b89cd5-5387-4584-9c16-6446670e1c9e,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b022d81-9790-4ae2-8f94-56a034023abd,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59cb1392-f8e7-433a-a169-80b7138028b7,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,103b073d-623c-4500-9100-6358a2540ae7,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5849792-1dbe-4a48-a6c2-49348fb3c5e2,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21655437-c08a-4bf1-9423-621edfdf7fdc,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6fb8da3-107f-4206-8311-1c03efb851f3,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93c44e05-7946-47f9-94b7-5525e72e9ad1,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae52c7d-d0f9-46b5-bb4f-6d3933ae6e72,"4/16/2021, 8:43:34.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22e982fd-7136-4749-8aa4-f8ca5699d6e7,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fc35033-749d-492d-bea6-81795e5f4a6c,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6536b229-dcfb-4766-befb-5d06ae1218bf,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,758ea8ee-9ffd-451f-9d47-c0c19343e7f8,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcfcd688-89ed-414c-bd06-eaa8f129d097,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc673d65-d1e9-4269-8276-a14ceb86675c,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed49e5ea-8a53-4497-815f-328978278465,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa7522d4-42f1-410e-8239-c80463f39198,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9482de8d-239e-498a-bd1d-01c703c248b6,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,634f83a5-7231-4449-a25a-da06b7ea4916,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5418e2e-97a3-4155-913e-abf8d246e73a,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c39951a2-7c3e-493c-87b9-d02fd5ce2dcf,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c4d2cab-d30a-4f90-8c9a-4fe4df15b5e8,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,394b78dd-faff-41a3-bd99-5fbf9c549dab,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3262f404-fb8f-4db8-83cf-7e92e44ac04d,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0eca4d8-e6eb-4433-bad5-e0be656c02c1,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4b66e6cc-6e10-4f03-9527-537e65ffd773,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,523c336c-94fd-4c01-90f6-105c80565c88,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10876 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ddecf2e-8cc3-49fb-96da-026cf40d13d7,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7172 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ea3a9b01-17d7-4b2a-bd99-4366c16ecaf0,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5644 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb94b530-34ec-49f1-bc73-1c785fc6e792,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,171c0744-a497-4326-8091-6be0a123fc56,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,5424437e-94ef-42e6-96c3-2962430f6653,"4/16/2021, 8:42:19.551 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,e0056852-c6bf-491f-830f-0161d604e725,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b9b10a6-288c-4c49-8300-668e5963141b,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,df1cb61f-0845-487d-b532-c3eabaae4e7e,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bfb9d6de-aff1-47bc-b7f8-9f99dd05a92f,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0765255b-1d83-4aba-98fa-eb55c7022696,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba373feb-c9e8-409f-bcd6-f65b2065d953,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ee8bbb8-0b11-40e4-9e7a-84bb5cd7c365,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f382a4d7-ae73-4a73-9a11-2b7fe6cb642c,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f532b1b-c157-4a73-9329-c35f043bf293,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d04ea79c-73c9-4f84-9b94-aff88125acba,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,481f0868-db77-48f3-b64f-7cfaaf31a59d,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,994e4aa3-322d-43d1-a9af-2de968d1ac0b,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,7212243a-6dc0-490b-934d-8c7147a7b6ff,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6e497b7a-7813-4c12-a13f-90f70265975d,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6f3b40f6-e8f8-42cd-ab91-af6bb5d10f27,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f7e91ed9-39eb-4a20-97f8-86bc758ade60,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,37c76442-a4e9-457b-93ac-7dfd8ffb4d6c,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a089efc0-498f-4809-94d0-4ac8f8e1e33c,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f5733a3-7bc1-4afc-a470-23d17cd36825,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c35647d-5c50-4cd2-9cca-21a0d9ec2c3e,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2abe5792-b49f-4166-8517-2146ea7329c4,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,fc4362b6-b6aa-4856-8a81-f89a1a64d840,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,69270f9e-95f5-4a3e-a4bf-c50bc7a123df,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3a5e9396-4f6b-4a61-81c0-8769d1cf68a1,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,59758ece-0450-4e6e-aa79-951ec3cd8c68,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e16370de-e88b-4402-bf3a-a0462dfe2897,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3fc5b1d8-4d67-47fd-98e4-6351a2211092,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,af881bcc-ee70-46d3-846b-ecd03fc9d895,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b4b8f24d-0fac-4f8e-96b3-179d4c03ca33,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e600303a-675b-4d9b-9dff-4e57d974b36c,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,baf19e6d-1864-46c3-b442-24165e6eac06,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86fa3004-2fa6-4edf-b89e-eb9e2b0171ba,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,127f7656-9eab-4054-8270-cb9734aa2596,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2aa737bf-872f-4d79-aa6c-c4201e140ecc,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0510c3fb-6ae3-4ee3-8d99-e7d075a3c394,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,275f0675-771d-425c-97ba-02709e483558,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,937d9430-8b45-4cbb-9f95-6f270d2ef2ab,"4/16/2021, 8:42:24.052 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,38a1850e-8255-4571-9821-80aa5757c424,"4/16/2021, 8:42:24.052 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ed53b59c-6ce1-40d9-82a7-0f479ed55ca8,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a6d1e5ab-4473-4f99-a33d-4b7cb19118a1,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x783c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,53c5bd42-724c-48fc-9f54-20a16ea81d75,"4/16/2021, 8:42:24.052 AM",,,,,,0x783c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x783c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,598bee00-7968-4bcd-8c6b-d1611641908c,"4/16/2021, 8:42:24.052 AM",,,,,,0x783c, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,c35d3ce2-64dc-4f0c-8f10-bef39d59d59a,"4/16/2021, 8:42:24.052 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,a366efc7-1818-4146-b8c5-25bf671f0b6c,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c04fb119-6c94-4694-bcd3-c9d4afb37557,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,88f04ad8-875d-4132-aed3-70288205b85e,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,338d2b02-0c6d-4370-afbd-dee405d6f123,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,76b80efd-2782-42aa-99e6-e1cbb11e502a,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e7d339b2-255d-4e45-88ab-cc31d6ad5a3d,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5962e200-9906-4da3-94d6-4c3fe30f9465,"4/16/2021, 8:42:24.052 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f881984c-7b0f-4235-8282-3305889cd095,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,806be3e5-138d-4d77-bc21-7e8989c3a182,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,377d400e-e96d-4510-96c3-e0606734e0d3,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00f2ae44-c2d1-4e1f-89c7-d069a51537ae,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f762fe83-1b80-4cfc-ac58-1bd5c54c3b0e,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04348875-70e5-4b17-89f5-1a74bdbffd97,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6090ea5-6dbd-424f-a91b-e1098f42d6a0,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,623bb6e7-9d29-4f10-a0fa-6e71e157851f,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f186e708-176f-49f7-b051-c729e0c986c9,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbefdb75-2568-4a56-bb5a-452795eef533,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d63751ec-52db-4d85-a61c-f9cf6ae99d69,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d2c3f51-738a-4515-84c3-d16e631c5030,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,842db297-4aaa-4abd-9bc7-1161256cd8b9,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9cfe4a2-e081-4882-bc8d-0e22857102df,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97ad9e07-debc-41c8-b766-c23297773211,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d0d7e05-b11f-4f84-bd5b-bb3f89e94571,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8edeabd-501f-468e-8898-c00698accb64,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0759dab9-cc25-49fd-bc49-e527514fba16,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0dba440-f46f-4397-bc2f-aeef5868c871,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09b14511-f2a6-4e21-9f19-9a57ac5f0171,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15ed94a0-d1cc-4219-acd3-ebaf9fdf545e,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1e2e9ad-7e7c-4fe4-a03c-36f8ca297cd7,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85303d9d-7b22-4062-a1c8-5d5157c69706,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6326542f-02ec-4fbe-8199-cfce5cb8b2a8,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8152c059-ef8a-479d-88a5-edb6ddea771b,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\FISCAL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c0362e-b1ec-47f7-8fb3-f590e73088ac,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,91a01168-65c2-42b8-9649-51853e67a4c6,"4/16/2021, 8:42:28.104 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,da98e473-cd3a-4ae2-94b2-cf95a9af83fa,"4/16/2021, 8:42:28.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4476 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad7392e7-45a9-40d6-a6ce-3df23614923a,"4/16/2021, 8:42:28.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fbb46f7-0543-4c0a-a6d1-e0ead5ab7832,"4/16/2021, 8:42:28.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63068eec-57ae-41ef-87a7-c5ba4654e263,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aacf49d-0724-44fa-adda-59fce8056ad2,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,955909e9-0cd1-41cd-bd85-fe209060a7ba,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83bc7b6-7695-401a-955c-0f7025ccf3e8,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09e09488-db61-40be-97f5-896804262e96,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef4e71c1-2888-4f03-b320-9d9e40647dbb,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8302171a-4d46-42fc-8420-6bc49a8cda3f,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f778f5-23b9-4a01-993a-3f85c924a79a,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24f5f336-c752-4f7f-8b57-5e9722a57043,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11978764-5b94-4040-9222-3d4d52b8126f,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91f0406b-6eac-4065-820a-196b9fb6d672,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c18fd52-ff16-44f1-b1f0-5b061551222e,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,423d4923-97eb-4fa9-8a85-3bf209bee0cf,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f540b01e-1899-4341-95e8-5da7578fddaf,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d175e76-8217-42e5-9c67-3e063ae7e2b0,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f320572d-336f-4192-803a-d2ca3a12a106,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3451f428-52fe-427b-8467-89b4fec92eca,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed70946-3b68-4cfe-89c9-ff40ca17caf9,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c1b7526-fff8-491e-9548-a82aa19d4669,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5b63447-8c6f-472c-9c3a-a3260f21e731,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17ddbc92-b198-4a90-a73d-ef7ac3e227c8,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3baeb852-6299-407d-a9de-887327e9c6d1,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd63da02-bae2-4b06-b886-d315fa002dfc,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9e0546e-005f-4012-8de9-4a871dd411e1,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fa00372-73ad-4918-a21b-99fb41000682,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca98649f-e2c1-4f6a-927b-b3aaf3a7f741,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,c44dd601-7148-49ba-b0ba-5fe8279c1565,"4/16/2021, 8:42:36.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5885a3c-2c07-4762-990c-cb25873f5933,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29552348-3b65-4f40-ab62-cac374faf2d9,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5b405e3-c914-4035-92ac-06051ca09304,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4c55057-1e9a-430b-9dc9-87010c607156,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f6baace-5e08-44a9-a316-355781b2238d,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c1e68b9-3faa-4e0b-8fec-f369ae47d9dc,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,538d6883-f188-4efc-9275-af8371511593,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6ac3487-8d15-49f0-964b-fa9a4b45445f,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98793deb-9b41-4268-ae6b-7d3b8b23e5f6,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b883e40-11d1-4757-976e-d303822db022,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba0d057f-7cb5-4a6d-bde6-f9d223b489ff,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc6f54c5-be5a-4c49-b358-4cdb7ffb34b9,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da5e93d1-6ad5-4b48-bba1-f58fd80cff6f,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa23ff38-2411-4541-b345-b306a4e066f1,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9129e8dc-0332-4ef2-871f-5cf82df8d42c,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\OVC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06b76f10-0a3d-4d77-a395-a2588495475e,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e50e7b9f-d724-480c-9941-3dca43925975,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95cc09a5-633b-4d39-9d4a-247f193b09ca,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +\MANAGER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,16bbbce1-2263-488e-83c8-8dc01245840f,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5d52c93a-d742-4bc3-9979-b00775e36249,"4/16/2021, 8:46:21.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ff17c10d-b887-4151-95b9-c81afe22b1b6,"4/16/2021, 8:46:21.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4528 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bde11ebd-78f6-42e7-af17-b7daf11b0f52,"4/16/2021, 8:46:21.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4488a4e-2b5b-4eea-8f42-801d4c6fabb2,"4/16/2021, 8:46:21.409 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5b1f3212-9631-4998-95b5-be8a7242e1ce,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f8c6e658-2873-4f9a-ab12-1b6891f62488,"4/16/2021, 8:46:21.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4560 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b612af60-6f32-4106-99cd-845c6c17e2b6,"4/16/2021, 8:50:49.258 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,77786095-65fe-49b5-b49c-1001d9c03023,"4/16/2021, 8:50:49.258 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee3c818d-e4b8-444f-81ab-4ad399de113b,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcc38f30-a8dc-45a5-a63b-99354d1b079d,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,826fdb56-afba-4a4a-ba3c-89a876337da6,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3c55525-0890-4b05-aab0-69acb8e7784c,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8870732-efc8-49de-b4c8-12622c4530b9,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09805081-68c6-4456-8b2f-a5e2e8cd273a,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d44736-f4fc-4c72-ab64-0aba745b2834,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d324d6dc-2e41-4418-a85b-8709b723c208,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371f3adc-b827-4b3c-8117-fc0173a4c1e8,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bc1aadf-f81f-4dcc-b389-f4fa83f7874f,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40cbc00a-c5c2-47f9-8641-29f55eb8c7aa,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8ec0fb2-ea7b-48c3-81c6-b65c52000ae3,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9afab2e0-1021-4da1-b452-e2f3c330bbf1,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748ce352-a3cd-459d-b37a-3fecd7b7ce5e,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc923449-9996-4843-af4f-7c242a6f3fc7,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6e878a4-c796-4e08-84ab-be933f5cd8c7,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b66fd5d2-d944-4874-836c-cb46b74175dc,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0eb82329-a3d3-4606-81cc-e95bc499dbb3,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac82504-85a2-430f-a1fc-28753010b4e3,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,773f82f2-4084-4e78-b305-c3a71b9983ab,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfe53e26-24fa-4a71-9c89-ba26183f6550,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e4b1902-8a62-455a-9462-fc8bafb17560,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26487670-6f69-4349-8116-81ab1663d33f,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a784219b-8871-4751-804c-f6d0a38d1dd0,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eabd00e-e246-423d-85c3-06a7c6f8a432,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2fd8b7d-441a-4d04-83c7-c257333b4f49,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5b88f40-33c0-42cb-9ded-259dab7028ec,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66edf482-c3a3-4bb3-b3c0-995586e766ce,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cbbbf37-83fc-4d61-a9f6-90e92a0cc1b0,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1347da28-65e2-407c-8612-9ccc4722ae39,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af27f73-6522-4885-930b-a95701c80d3d,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0b4c330-3f78-4cfd-bb12-f1b0565b9ece,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f60dbe4d-bb11-4de3-8228-194dc7cdb565,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b03dd918-b558-4a94-9537-9261146dc450,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e50259b0-8cf4-4f5a-a6e8-aaf37a4509c3,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3eb3b953-db74-41d5-9048-1e19a6387b36,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d903324-4687-4cc6-be31-891d5c3e6343,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25b3d43c-76bc-416f-823e-32a806d8aa29,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\CHEF,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,887471d5-75a8-4e56-a16d-bbabcd34ce2b,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20094e86-ef93-4302-a76f-3fa6e38e2751,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fb50a1d-6e64-4acb-873c-2816a648d768,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df8efda1-456d-48ff-b62c-701b21afaf7b,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6d38e3f-c6f8-4c45-bff2-06f996e89234,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16fa5d5f-0ade-448d-b975-3ba4f6ece43d,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb755ab5-e748-4ecf-b3e1-f310ae28789d,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a5b6f5a-5140-41b1-b4b7-a4d503d74666,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ade6d19-3227-4532-83ad-9c71c5ea6ab7,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e95ebcfc-d77e-448d-8d1b-68caeaff316f,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d86727df-2ae0-4a40-82c2-dca022eb296e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fd88758-114a-41c9-997d-7e120284092e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcfdaf5a-9bde-4e18-9bf9-5f6e844ce0c8,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee5f0d4-a144-45dc-9f8b-3a986cff521c,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31d0a72-240e-4e95-ab80-67479d3d4a40,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91c54edc-d0af-45fc-a07b-ebf267908266,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b063e9-61b3-4f0b-b282-6bd4881563a7,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23f86ebd-61b8-48f0-a1c8-ee2548e1ae9e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21944a7d-9f03-450e-b2e0-8706f4ceb8fb,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0320acd1-ed09-4157-9f12-d84c716bae8f,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20c2842a-5813-49a0-9943-9ca9a4623851,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0ee99e-5ed7-4fe1-8e4c-304a76f9e9b2,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c7a8d53-fd22-4746-a613-2c5ac0c30de5,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be1a6a3b-9c62-44ad-ae88-0f07667bab37,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d631ef0-65f8-48ac-a6b1-9816a3aaa434,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75099efc-e323-494f-93cf-7a2ec12e7ad1,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cd6fe07-ab9a-4e12-b7e5-2c1ffc1eb215,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6abc57ae-c3bd-4ee2-9748-9721a179c0c1,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9fdc7df-162f-4f5d-adeb-ef7343ae4fdc,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d963822f-449e-4a77-8421-6867badd094a,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c690ad5e-0779-4c2c-bba0-a3eb42ebf04e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a2a2867-fd69-466b-abfb-627d3ee0588d,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a58600-626e-483b-a7eb-c549dea4a66d,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f89dd044-da2c-492a-b049-2645cba1e2e4,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3f93c1-f78a-4c47-962e-f3f1ebd78848,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,6333af83-2db8-4e83-bfa6-cbff3ea31eba,"4/16/2021, 8:42:44.854 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46052041-5bf5-4b62-9549-2ead57011d17,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220bdc49-d937-4f9b-ba8f-0f8622449e78,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee98589-4118-4e71-8ca4-5e1d7efcccae,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d2a8beb-49b2-4cd5-a8d0-f1005bc5d1f3,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e01d27bb-33af-49d8-9852-4a4d6bbf20bd,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bb1af95-21b3-4f3a-86e6-2585baa67eeb,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b84292-0529-4840-89c7-2bdc3ca18b3e,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dbc347e-3fb0-4789-aead-30088a75bf87,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2368f81b-c939-4deb-a286-b32c014a4d49,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3907c56-e39e-4456-8ec9-810f5e29046b,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9704c79c-06a9-4d91-af84-c0d12cd8d44d,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,041c5519-c282-49ba-8f56-0c00524f66b5,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abe5ef23-823b-4087-90a6-dee14cd121f9,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e9ab397-dd90-49db-af5a-8cb2ecad3b97,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370a5d5c-dde8-4920-b1bb-9110f85a4dc3,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3a1a494-1411-4658-8e40-c2e114bfc262,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39e37eca-465e-4415-bee7-c0be7824f5ac,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7607a0b2-393b-4403-ba5a-13026bd97605,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e021e988-fe6c-4922-8ff0-89ffd6f3fc0e,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce03d01b-3df1-4056-bff3-ae94dfc06c86,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1890392-d0c5-4616-8f19-2a29bd9a80fb,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65770fb2-ed28-4fab-874a-f971bf238694,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d3d657-9e7e-4658-9779-09944a5822db,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b90bfd3b-5880-41da-a494-8f77c8f81507,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c67ee9b-9012-4311-a2e7-5277075b974e,"4/16/2021, 8:42:48.411 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0783755-8246-43f2-8744-3c91e811a046,"4/16/2021, 8:42:48.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3608 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,81ce7db8-6c14-4a16-8125-7a5888af034d,"4/16/2021, 8:47:09.855 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6448 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b2690a14-399f-4104-a516-353276405de9,"4/16/2021, 8:47:09.855 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e70425af-6d14-4f94-a686-0cdcf089473b,"4/16/2021, 8:47:09.855 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c844427-70bb-48bb-b17f-1934cb43f111,"4/16/2021, 8:47:09.855 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d341c260-20be-4e41-b81c-8eee7a69d2f1,"4/16/2021, 8:47:09.855 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fc4c3b2-585d-4401-a1e5-ddcac82689fd,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d01a56ba-9cd8-4cbd-b8d6-38294f524ef3,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b68a60a-619b-4801-aa65-a357ef410bc0,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8b766d-5c7e-4031-9a5a-926362221df7,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\SAGEHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fd63743-733e-4267-923b-233f58b2c742,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3e0ebcf-9c1f-4437-8fa4-e4ce667edc87,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ded08ed5-8fee-4966-9989-70a6281f8882,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd2a99ac-5bba-4b42-a0da-534c38a243d8,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30631ee9-103c-4c9a-a29b-2246e9a1b668,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc2c823-c8d2-4a48-b33b-1f358817c17d,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,321b1484-4942-4206-b6aa-c54382f80840,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7667e4ce-de59-4f76-9d72-95ce1347ddd4,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c63677-4f57-45ff-8fb4-d26cec786e6c,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a7bc09-6cbc-443a-87ac-bd53d7a11a45,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95fb57e5-7c2b-4e0e-bbbe-4ea0c0ac5c67,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e662945-0362-4e08-8bb5-fc3e9ab2a4f2,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,769101e1-4036-4a11-a606-12d87cebf52f,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5975d18e-8b44-4003-8768-a39c578b3901,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\CRESCENT CITY,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b163762f-fa44-449a-9c88-217a4f20600f,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5e3ff7e-5f89-4b3f-9cb1-96442424aa1b,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56f603e9-94ea-4476-b319-a8d911d0af01,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a683ab00-b2f4-495c-8687-97acd06f7463,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11528cfc-d527-4426-9b7f-1e18bba8d3f6,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae4d697-bfcb-486e-9233-4e17d07fafc3,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42ddda18-65c3-40de-a9e0-fd15028f7b7b,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e64b4833-d85b-4cea-bb8d-908b6f59abde,"4/16/2021, 8:42:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10008 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,dbac8c72-c908-4c36-973d-2071bbdc46cf,"4/16/2021, 8:42:49.278 AM",,,,,,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c98b18a3-7ef3-45cc-8f9c-ee0988d3fc72,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efd55951-181b-4eaf-8401-4d8c68ad103b,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73b84d78-effc-457e-81bb-21fd66e2753d,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47f3b2a6-93b5-4591-9895-727d591fbc21,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14d8a9c6-6178-4d9d-a9c9-9dfc9714ba14,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b0e424f-a752-47c4-b6b5-32adfd50ff78,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16c34012-0ce6-444b-b997-182cc09108da,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\WINNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b71d57f9-ba85-4c1d-b328-5b9f2993f0a7,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\BOSS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,582a1525-0690-4e77-b31b-e6f1da10bca6,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\WAREHOUSE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde94077-fda4-4e10-84c4-9ad05eab8446,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5f33149-50b5-47d1-b722-7f2d0a8da528,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04420d6c-3896-456a-ad43-f8afdf63ad5b,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,580ef6dd-bb33-457d-a72e-7645dfa76137,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0d1742a-b73c-421c-a886-8a9f2db38062,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5358452-614a-4e74-bf12-dc49b1180d69,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdcab576-96f6-4b79-9e8a-f3e2998696d0,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\ASP.NET,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5714e02-f371-43ab-9fc1-86c57fc950f9,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c7e6254-bec8-407d-b82b-8fc2b12cdc3d,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12cd97c5-b52a-43ee-92cd-e96e63db050c,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a577a2af-c7ce-4550-8852-b4833ed4e004,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e204d206-658a-4102-b60e-46e739bcdc67,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c1a6608-af24-4af6-a22f-69f43d7f74bf,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b746e834-b504-471b-96fb-c3ecdd1e701a,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a772410-e882-4e80-bf8f-306cc0a4d310,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11540 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9d9bf0fe-2dfc-451f-90b1-0814e24ec15b,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1756 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4f860a1c-c54f-4992-93af-e63030cbdfd8,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4664 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,32f6224a-79ec-4a65-9b6e-09f11ed5bdf1,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5624 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9ea42e37-a8f0-4918-b02e-72d1ebb046b6,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 11252 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4d850f79-c186-4bcb-b809-a3d1680e08de,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9088 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9961b39-1781-438b-8ea9-40bc0b497eaf,"4/16/2021, 8:42:51.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4ec5b64b-2497-4d40-aebe-3e45d6fc8ab8,"4/16/2021, 8:42:51.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5379718b-da65-4907-9504-5da38d3ae0f7,"4/16/2021, 8:42:51.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fd390f65-a51c-473b-aa51-aace1c181d3a,"4/16/2021, 8:42:51.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,565c5625-b701-4a35-9a4d-21e2bfcde496,"4/16/2021, 8:42:51.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6028 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed1faab5-5e40-4c52-8d99-81c9f3ccba20,"4/16/2021, 8:42:51.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1428 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,87fd73e7-bcec-4726-880e-5ac2e72c1fe8,"4/16/2021, 8:42:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6992 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,91e444c3-5d9b-494c-a376-09c322d3ae56,"4/16/2021, 8:42:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,69df85d8-2b14-4c9f-8672-9045eb5e74dc,"4/16/2021, 8:42:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fa2a1358-050f-4523-a901-0d9e5a972628,"4/16/2021, 8:42:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ea7712b2-ed81-419b-b9e8-62520ecc5886,"4/16/2021, 8:42:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b7b4b909-2cc5-463d-ab5d-411f180dfa6f,"4/16/2021, 8:42:52.740 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e1cda49-365f-4be2-b92c-d31d84b3578c,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19b64dd7-2a20-444e-a55b-54d3893dfc8b,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06abfcd7-48a7-48fd-9069-15cfdc51dd9d,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7c08843-8a3b-47cf-8226-fbcccf1947ed,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dac0633-9209-473e-b26f-df9a7fe751d6,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f133eea-50a3-41d0-883c-79305727e073,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8a0911a-5b4e-49e0-aaaf-de19713deeb8,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc8f1a2c-c53a-437d-aac4-1ae588fe86f9,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d1c30c-e30e-4885-8e1a-1981cdbad4b9,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46821dcd-3238-4af4-b601-d5f76ced2aed,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94a88f87-e0dc-4c90-b5fc-09e0a25f7c9e,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e8530ed-f273-4992-b964-6d5d3cddba69,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6bcce37-0ebd-4c10-9990-2852a7aff39e,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b17fa32-69e5-4a2b-92eb-b01e32200fcf,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,058fd389-9b45-4cbf-9530-3b2aead505eb,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32735667-f136-4e8a-aceb-e584e12ec158,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59fa5e4e-a086-4679-b77e-3d2491b486fa,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86d5883b-f745-4d7b-931c-671767676300,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,225d4598-23b1-4104-93fc-15fa6b285879,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,348aac2a-18bb-4787-85b2-6db80f65d952,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70dbec17-4f0f-4311-af87-425d896145d6,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a24ff925-5f7e-411b-ba77-341c9e455f31,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72cc7c5b-09e9-45b3-8413-c5c63d97be48,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e21157-c770-4d6e-a2a8-f86b5dedadc5,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef6c797-af1f-4272-81b5-7d6477254368,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49cbd5a1-d54a-4e48-92f5-eb761de70470,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20f8122-58b6-4951-bdc4-7d1a797003eb,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24d9b65c-3e14-4aa4-83f2-6afb6e7e0db6,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,010c512a-17bd-4f87-9efc-b936a7ab19bb,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36c77fea-8a98-4845-b922-d9ab0c038717,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70f732fc-3e7e-40f6-976f-5204e5e73e9f,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,710170fa-a9ae-4f3a-bf70-34c490345238,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e039c0e-9c4e-4a04-bb62-b2f885c84eac,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef4cd6a1-b750-4d19-a051-fe6e34b96798,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6cfcdc6-0b8c-4a0b-b8c6-6d17acfd4441,"4/16/2021, 8:51:15.634 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,174095a5-c1e7-49c2-b790-0fa63ffb92d0,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,785d46ee-8f04-40fc-bad1-b26dbd1b8030,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f518017c-b038-47c2-a49a-4034108d9c10,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dc348ed-698b-41b3-b346-d3f5e8c82040,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027540e5-0f14-4f9e-a114-afba1de7834a,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93a2b15a-22da-48c3-a464-f006e2d0c8f6,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bef39287-f9a0-4f78-833e-49d581f5a6e6,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c1df5a9-10cb-430f-9894-4035f4d446ee,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5259a76-55cb-4e05-8c4b-563bb59d511f,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fd0135b-135a-4bee-9fe3-afa1f4c2aeef,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64190d0d-fc85-4d8b-9627-40b2b05d89c9,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0fde6e2-f368-4904-96ef-7099979c00ec,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd2811a8-08e7-431c-b95a-31775f197607,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,109403c2-cca2-4fbf-9cf5-506d3e0119e0,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fd29d86-d3f1-41a1-8ac1-660c76d06d03,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1276 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cf1ca46b-006c-47ad-b25c-78210ac8c95f,"4/16/2021, 8:42:55.986 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7480 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4b237b63-3b37-47fa-8a0a-8b6e53557afb,"4/16/2021, 8:42:55.986 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ea20e1-a3cc-4594-9fec-34bc7932516a,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc961adf-cfa3-419d-b34f-0f4530e40007,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f840daa1-1ec4-49bd-bd97-5a897558fa79,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,157b3296-65d8-4d62-ad53-e888da988ed0,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b072b1-6589-4731-88a0-36e306ef467e,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a484638-959b-49ae-8ca3-202b05fc8edc,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30d10801-105e-4602-b557-360f2f00112e,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c60ae13-61dc-481b-8a52-c602c7412159,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5abd3ca-f77e-41f9-afad-a667566eda33,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf51b92a-a7b8-4b6c-86d2-37393f7bd955,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee3199d3-8353-4d11-b867-5981480be94a,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5223c0-1606-440d-869b-5b6f29a2518c,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9cac82d-11ee-4d39-9d10-ccd111207669,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbdb298-a44f-4447-bbfb-dc055db61fce,"4/16/2021, 8:52:21.192 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf871e81-6e2f-41a3-a33a-6e11b8b302a0,"4/16/2021, 8:52:21.192 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b30ca5a-b380-4e04-821f-6fae7fa3d404,"4/16/2021, 8:52:21.192 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db14a1a-c89e-4f6e-96bb-a188b85fea14,"4/16/2021, 8:52:21.192 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e391b48-81ef-4ce8-8f78-2281064b1f46,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68a83e66-5326-4253-bdc3-d246a312b603,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49b1f9eb-547e-46f3-8b72-a60d8632ea89,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49acc1d2-5085-4baf-9b4a-e55a6e4490c4,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235aeaa7-a5ca-45d5-85f3-a4b1aa730931,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0408094b-0335-4ffe-820b-39b95a55fec1,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c5186cb1-d76b-47c3-8af5-67abf0e02a9a,"4/16/2021, 8:51:01.414 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 3024 + 2021-04-15T01:13:28.220444600Z + Microsoft Software Key Storage Provider + UNKNOWN + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\ecc84254804e00c8a407d222b20947e8_2c28d2a6-9a4f-493a-825b-4dd06262f38f + %%2458 + 0x0 +",5058,5058 - Key file operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,809be781-600f-4cff-a92c-8a98503848f4,"4/16/2021, 8:51:01.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,81bea5fe-c358-4d6a-8a51-5a21ab8b6b8c,"4/16/2021, 8:51:01.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 3024 + 2021-04-15T01:13:28.220444600Z + Microsoft Software Key Storage Provider + RSA + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2c2bfdf1-c965-4c99-919e-010aca53f134,"4/16/2021, 8:51:01.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 3024 + 2021-04-15T01:13:28.220444600Z + Microsoft Software Key Storage Provider + RSA + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76f0aa93-0a1b-4162-98a3-5ffe4e2a1d96,"4/16/2021, 8:51:01.414 AM",,,,,,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,159c21b3-036a-4536-88a9-4314b922b2e7,"4/16/2021, 8:51:01.414 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,829cca74-47ff-4c5d-928e-0097408034b3,"4/16/2021, 8:51:01.414 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce219848-3054-4dae-a508-af4b8e16b89c,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,575a2cf9-7f31-42a9-83b7-6cd19b491dfd,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7644ef0a-e615-4edb-8f66-bdf996d5c87b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4a472bd-8de1-4bf4-b42f-1f33f15c3d90,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a090ce2-0a67-4524-9d0e-1111a2df252a,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee84a49b-8375-4e2e-8f2f-21ace192190f,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a729b3e7-f005-4c00-b908-571c8eff3b4b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fdfad49-9ab8-4183-86d2-089823015c06,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d45a4c72-6873-4440-b8b1-ce77b205f5d3,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d9a17fe-0259-44c3-9678-a02aca520b8a,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f8a0423-512f-4bcf-a51a-d73793f51080,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,813ae4b3-50d7-43a8-a28a-1aa0dc56593d,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e724c97b-7100-4d7d-aa38-802af8e82fa5,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0e95cdf-bab0-49a2-8210-86ce7db1bce4,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd67318-d56b-4ca8-ad53-af1eb3f49862,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,902ec3c9-c5c0-4076-a999-d6c07a2bad7a,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28858ddf-a73b-4bfc-b4ae-9aa19ee83341,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14186fe8-56fd-4464-b2db-7f6a60ebf106,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27cfd0ba-5b50-4309-baa6-8ed4f34080a7,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82da0645-6c98-4d11-bea9-6962600fbd00,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5237068f-21a6-4bc8-a000-d7e5e1defc82,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a98f42d3-f629-4416-8b78-1ce61e6d0e2b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b45402-62df-42ac-9d33-c0c81492e005,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7bc20f7-9d7a-4ae3-b9df-f5bb9ecba32b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4548 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,65618be7-0f48-432a-a9a3-481d530d270d,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5764 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0c267027-fede-4b90-b52b-9c1f635c768d,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6468 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,48e1db24-6033-4750-b667-f799ddf97d9f,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eefc10b7-495e-46d4-980e-41a2f90cfe3a,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ddc5856f-5175-4894-8a1c-3e5ac04a28dd,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ee477f01-1e0e-44fb-8fd2-0f9b71005766,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e035a890-2b87-4bec-bdcf-8e4e643d59d8,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,353a36f8-5512-4bcf-b206-2477375f6d0d,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4308 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9c55b01f-d4df-4a7c-bbe6-e3248f29bc5c,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c011bd5-bc12-4697-af44-46dbf2d9486f,"4/16/2021, 8:43:07.851 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,29d0004e-2e62-4a2a-9bd7-eb2835339aa6,"4/16/2021, 8:43:07.851 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32c1e709-9b4b-4467-a5c1-c7b82c6b4e75,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e549aa9e-da7c-4576-bd70-f894a7de0156,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00bcc44d-a56f-4037-95b3-83a6a2b14031,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cacfcc06-1e67-49da-b7ea-fa0dd5927d0d,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,609c55c8-c3a2-4761-a1c2-ccc5d54b52aa,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f0c6e74-5550-4039-9b96-77669c457194,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfb89455-ca6d-41fb-88d8-3644dbfc141e,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87f1c61e-f656-4f15-9491-84b747b5cdcd,"4/16/2021, 8:43:10.605 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f49a6717-6d7e-4419-bc13-b57225f87861,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b8a08dc-eedd-469c-b6cd-577848008469,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1567a02d-37bd-4991-b950-f8c92a0e8154,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de909014-5586-40c9-b048-542e033d8034,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70ea5852-1e35-4b7d-b1fe-a37a963b05f2,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a493fe02-6330-457b-a8f5-95516ed589fe,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c633bcc4-b675-48ef-9469-2e616efc21f3,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c0ccf99-07c2-48d4-a968-b54775f483ef,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd7209c3-9969-41c2-9f88-528d76642990,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,195babf5-8b4b-4d25-9a4a-f751e6212377,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd7d8b9a-c7f1-44e8-9c93-84e009035eb5,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,706387fc-d68e-43a2-8487-f5ccc47ea982,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,741e2a79-180e-4f79-bcf4-019560559627,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2511e2b7-13e6-4c12-b58f-ceef8260b24a,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,750e0653-beea-4593-83fe-1517b3e24634,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9cd8927-a448-4ffa-bb85-d3dd40b5a2b7,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78fcf899-8972-4d54-806b-e564b11236d3,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61bff960-a313-4785-ba2c-98b55e94fba3,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1466aeb3-1cd3-428e-868c-92e0f8a2fe58,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af73514f-438e-4eb5-8413-dc7ee7c5ef7d,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aba464a8-2d85-4106-97eb-4ffc92f6e1ff,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77de9a64-d99b-4b8a-b11f-808abed0822d,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235508b0-a38d-49dd-b7e8-12a46b33f432,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,649022df-f1f9-40ba-9472-75f33f56544a,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89937670-ef34-4647-8045-38b69709bf50,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b888c753-e737-4d7c-b799-3e216a2cc171,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3e17bdb-bc44-4fab-9302-17197aa75138,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f2fef60-75ad-4f4d-9b80-c5e9ca5aa34f,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ce9a705-4c7f-4a44-9bf3-14d605157262,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14b22528-c4d1-49cd-b9e9-778e5568a841,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4815bb41-944c-4e86-8d7b-c6e6886fc846,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2365f325-e731-4990-aebc-bececeebf984,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef6a3aa8-709f-46a2-998f-a07aba5f1aae,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1608de51-4ed4-4458-94a5-8f53a1033031,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c75bc69-b4ad-44e6-84b0-acec63d0a8fd,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c1379ca-c87b-420e-b656-1dfcd940f3dc,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb069cfb-8d0c-49eb-96a1-585f4ae1acc3,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ff2450a-a3eb-422f-b00d-4e4acfb560f1,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ef94a41-1f7b-4597-9f0c-188876a24d3f,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2c403a3-6fa4-48e8-8876-b5914d43c786,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5304 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,67e68432-cd30-49bf-9ce1-d7edbb65b049,"4/16/2021, 8:51:41.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8604db8-2794-4e6d-a86b-46fa2c0c154b,"4/16/2021, 8:51:41.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ea437671-9806-4df0-825e-7693d74b80f0,"4/16/2021, 8:51:41.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3addf799-c88c-4e14-afaa-3ecdc0a4d170,"4/16/2021, 8:51:41.408 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e38d6fc9-d996-41de-80ac-418df3c3be81,"4/16/2021, 8:51:41.408 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,49977df3-d138-48e7-826e-44200943dcd3,"4/16/2021, 8:51:41.408 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a6f6e5b-583f-4bcd-b6c0-54b75f75806d,"4/16/2021, 8:51:41.408 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,288bef1f-a1b6-457a-a394-ac93d78ba635,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49fb9a39-eb98-46fc-9a7a-0e632869decf,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b480318-4168-47de-ba54-f01d188a4213,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c706046f-15a9-4590-9b9c-6801e1acf6d1,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e844f136-c4d7-47df-b30f-b9b1f1bfc4dc,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6106014-fb5b-4a15-bbfe-f224d497caa6,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3be4f3ac-4956-4259-92e6-76229cb1b078,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e294a436-f870-4f9d-abbe-dbe5ce53201f,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acce0df5-fb5d-41d3-933b-2a6674abed9d,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1a86754-63ff-4164-b1bc-46dc8e3a3481,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,438c8537-8616-42ec-9d91-f7e0a51a3cde,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99e13d4c-d79a-410c-a949-0be7462c46d5,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,036d5b16-1b62-47c9-89c2-bc821f3fa094,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfc7c05e-311a-4ee6-aefa-5d5e93b8d34c,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\JOKER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24c3b103-7b0e-4727-a638-8ae9e9fb8281,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,579da6cd-b0e6-4eec-865d-c5c0af229596,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,654830a3-7636-477c-a85e-b714cf915253,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc396cb2-54fa-4284-93fa-3dfb2ff47769,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5633f546-27fb-49c7-9268-7b6971b49655,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,642f9003-fe85-4d01-b743-f680830c7fb1,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b6a209d-799b-4054-8930-a08a1d354899,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1a73da-29a5-4fe1-85a6-2e06aad93668,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79caa4b1-4d73-4097-b381-2ed6e5a5b178,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\CHRISTOPHE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75863261-867c-4e75-8fda-d3f2b2da2fd8,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,813c67d1-24f0-4751-9bdd-cf907ce38edd,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c248f17a-c951-4f4b-a495-1b902a674f23,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,481e90c3-ee58-4a49-abda-a105d7932ecb,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8896ddbb-a2c7-4950-b202-c7a705f913e9,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,019a511b-79ce-4251-98ec-88cc0592e30e,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf3097c5-5f1c-488a-99d5-73190c7f9629,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9898268e-1e26-4b5b-b5ba-2c9f15c34f7d,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeb25d6d-12db-4d1b-9853-885e975cd3ae,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a4f3a02-a56b-4ba2-adf1-a305bed35923,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd3a4123-53d7-4f4a-bbeb-3acd7608049d,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bdc7f3b-fcf4-4897-ab9e-7b9e86242aea,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cffdf3a-7e26-4c6e-a932-e1f818424249,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45b3d51b-6785-4adc-9e3b-aa47d3c675b7,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,474b4608-9c7f-4e41-98a0-36a1722edce5,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d5f8a0b-2012-4123-ba26-e2f3829c6514,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e883e683-7475-44af-88b1-3524b48ba970,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3af04ba-4982-4ba3-a999-2aafe0d138eb,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73f414a1-e6e6-4bca-b15b-4d2cc690d3f6,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4b1b5a4-4251-440a-8536-fffe38c0ea70,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48a3034a-43e5-43e5-8616-5ff06da00470,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f93b9063-3d23-4f31-bae4-6fd8b5088774,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2c6a77f-c5c1-4308-9793-33884270d4d2,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e962c999-82e8-42ca-8977-29f837568f54,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,71406a45-43fe-4a3e-9a46-dd5339dbdfd9,"4/16/2021, 8:51:44.857 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a2f396c-2be7-478c-8ccb-582439e6e4bc,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c29544a0-f4d9-4ce1-8280-5bd031342938,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24257684-39df-42c4-a4ba-c39117514ecf,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ac3464-81df-4db9-a9fc-52e78ea09370,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8eee5ec-c10b-4602-9682-5e2cdce034e6,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac021cbb-ad35-47d1-80ec-7a343b1d0d6b,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe504f8-358a-4938-8e38-63a9aa66f465,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41debe2e-f77f-49c6-91c1-d0d2f673f02c,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,190d715d-98ac-40c4-8eed-96b3d6c818a7,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2725048c-314d-4b05-b01c-fa410d179ab2,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b07efb3c-a9ca-4425-aa38-9fc5c02f89f9,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ce4b9a4-829e-48e7-9c02-2964ee863867,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d96dd3-da0e-4632-8fb1-76863788a681,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ab27a8-14e1-4cec-b96b-80deeea223ed,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f342516-ef2a-4da1-be46-6a1b5b4b6967,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e91e9a4-8be5-4878-9fc0-47ada19148e9,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ff53782-2ec2-4315-aec7-28498390e235,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42c546ff-cc6f-496e-912e-40f135de847e,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a896f35-389f-4d22-a427-c218e663e0b5,"4/16/2021, 8:43:20.110 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fbe8733-2bf2-4888-8cd9-fb4a2cb4ef60,"4/16/2021, 8:43:20.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,110aea2c-0d1c-4877-a0ac-a0ff4b403d55,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7784 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,86128bd3-2bb4-4bee-9f14-27fd8ed32016,"4/16/2021, 8:43:20.110 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ce99fa-570f-4cf2-887f-b91fc0c8fc8a,"4/16/2021, 8:43:20.110 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f29e6a29-bee8-46ef-ac05-447f88ac5918,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a57f2de4-2ba4-4be4-b666-73bb1eb09289,"4/16/2021, 8:43:32.973 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9bf65537-a683-498a-b596-3502df7cbbc2,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b6736f67-4feb-4b31-96fb-044c11d8188b,"4/16/2021, 8:43:32.973 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9de8db5d-dc70-461f-a6fe-f970fad9c9b8,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10372 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a8cd24fd-bcfb-4548-a408-9886e0b8262d,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9412 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b1c24baa-d6e2-42f9-9b0d-8beff7935aaa,"4/16/2021, 8:43:32.973 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4acc0c6f-91ac-46f6-9f7c-7b273e9b604b,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7068 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ed61a7bc-2ecb-4614-b994-33c5496cd25c,"4/16/2021, 8:43:32.973 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1fce392a-7b69-4910-b57b-e9ab70d78367,"4/16/2021, 8:43:32.973 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e28503c1-607b-4764-9c40-2984c5f15030,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,533ed9b7-5664-4339-a060-2e91245173ce,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed2281b8-a450-44a0-a852-35cca7dba717,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5980ae4c-775b-4bc1-bfe0-7d792d7ba218,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4ddc647-e876-4175-812a-ed650d5110b1,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e8dc10d-3786-4589-b97b-2812c61017d0,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027787ef-75f9-41e1-bf21-a5147afcda13,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60363280-2fdb-411e-9d85-09e7f0ffed30,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efa553ea-64b8-43c3-b349-f6a2b4da8f62,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b47374c-ac23-43d6-9252-d5fc8603b053,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1821f205-01c7-46dc-a689-39defd9db17b,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8566b171-7e31-470d-8f7f-4bdb0132b391,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e9f8642-2804-4d7d-8f98-d82155b37717,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85cbc98a-26c5-4fc2-a9b6-be6cd6355ff4,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,072c1044-d4b2-46ac-96fe-e6b0851717a1,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e715e4d-2b0b-43b9-9639-3cb5b1107f1a,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,529e727f-9ded-49a9-b3b9-185662f5534b,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7b40127-c65a-48ed-b0ee-6ffdde126cad,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ab13602-8315-48ae-926c-312a57c884df,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3020d8fd-aac5-46ef-9352-6bf62ae1c1dd,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de807406-7822-4705-9e02-56b87e31f979,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,869cfec8-01d2-404a-9277-ba7fc54a3e12,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\KJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f07e2d6-e224-41f3-9d3d-975b6377679a,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3185332-694f-4869-88a2-05c248a68dc0,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d349cd1-5b84-466d-bcba-e558f0c4ee50,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75f750d4-0354-41a2-a077-cbfc97d6cd85,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8771094-62db-45ea-9f11-38b2d2ba434a,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370eb69d-d7b1-4ad2-a4c2-1e0c54a73ec8,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312fa1a5-e255-4125-9dfa-8354a0f1d876,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a0aaa32-d51d-4480-a267-d535071ed86f,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22410178-8f53-4f5c-9e0d-b5516b3d9af8,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ad7509-f9e2-464a-924b-0c1e771ce6f7,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,492ee693-212c-4fe1-8b7c-b51f86cf5f70,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceb1c1bd-e920-41da-8e9d-3272fa8a4b52,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2554f4c6-915c-42df-a14e-65b1c4ce9ded,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf736cb-9fa5-4fb7-ae2b-f5e810d7dd44,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f48b7616-57fa-4487-a9f7-14db0cd462db,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ec6ddc6-2172-4420-8ecd-38d74bb416b4,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,673c2168-c9b0-436a-92b9-3a7bca11ce7a,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7e9305c-fbe3-4d18-bc6f-ae1d4e7ec382,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ceca7ee-1557-4f56-9757-825ac3bc260d,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40a3a29b-8a3c-4a8b-b985-e4459bebeda2,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cba0a02-f4ba-454a-aafc-d19852d94322,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2399b31d-1b20-4ea7-836d-cc58ccc8aea4,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc40f47b-5d91-4764-8ae7-6b02eb3fd0de,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bed67d4-6c0c-4759-b06a-47a7f1dc8f5e,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d39cf131-4508-40ef-847b-2c8b72f79d8c,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aab491ad-dfc5-4dd0-ad50-6a3c5a2c63f1,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b05cd42c-81d4-4d07-9cc2-3e00fc7c19bf,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b48caf36-8ae5-4182-bfd8-d702baa64938,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9db7605e-d9f5-4e30-90f1-f4c301a7dd08,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c18f7f50-3248-4d53-908c-5738aed3766c,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f39ccfe-fa26-4b74-b55b-99113b9eeca1,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ac63d30-2651-41a0-9fdb-cd7beeb901e2,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,656dd64e-9798-418b-b5ef-50625feaaf61,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e99c616-c6a0-4fcc-bca0-edbd0935bf85,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61eb13f4-182f-4175-9645-44732f5dc23c,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec530aa2-bf6c-4e28-9048-3fd7638a004b,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,104451cd-ff2b-42f3-9986-c965eac0b615,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69fc74bb-d062-4167-8e00-ccf2359ed9f8,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,121ffbd4-372e-4ef5-8bda-22e43256d20a,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be1ef088-ba06-4646-ab2c-8430a1492968,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d2d26ec-c754-4a77-9d8e-9b2c58a4358f,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,768e93d6-1afa-4826-9175-092ea6ed0502,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b380e94b-d28c-4516-bfaf-2c703582002d,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c0bb5c-eaf2-455a-8d77-66f03cd1e155,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,445fd3fa-5ed9-4e57-998c-ff8bd70b9bc2,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,660316eb-2d6f-4ba7-bd47-da33d836ac15,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d04169-06b7-41da-8bbb-94f434108cd0,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,942f60a3-f5e6-4f58-aade-8393031a0b25,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8eff5af8-f021-425a-84c0-e209f1672242,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,869dcd89-8271-4e06-80e5-8dc88200a20d,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35985eb5-ff7a-4498-be53-3ae25edc20a0,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d09c818-9e92-4482-9b37-962bbf00b91d,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,052eb06c-08ec-48e1-9157-216e78e3e907,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef237d57-b46b-475f-bb0d-400b3bc23e96,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba1a2e7-8f20-4ae8-a5fd-2f368881a2bb,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c96ba27b-f625-4e0f-8c4d-7d8b67fd0f31,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f8feaa-ae49-48ac-a3d0-4acaf4ed9e0a,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d136193b-7158-4f1e-8cfe-aad23272d241,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78af005d-6a56-4acb-a61c-f87b77ef7c97,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f720e69-a4a9-4b7f-b0db-24eed7cbe9ec,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80e8aef-973e-4dfa-a380-b977d4d91a45,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0e81eee-2c31-44b3-bfd0-bac44180ba2f,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2430535b-f1ff-49e4-b8fb-fa0b4092a1a2,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1717983f-ddf5-4e7a-b66e-4dc543c91242,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b80c908-4148-487b-b557-bb8256471036,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3020832-1af3-4a7a-9de2-de6947f433fc,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5ea34cb-d373-4003-8851-20145e997883,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99053e7b-224c-4cc0-aaea-60bb2043d9d0,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b83840-ac84-40ca-8a61-c811d0293b47,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75d2e454-0f42-4110-b039-c2a60c8f92f5,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\SCANS3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216e03cd-ebc1-43c1-82f7-a5638baab4b2,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c0d256b-a89c-403a-817d-1122fb498304,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4ece7b3-4164-474a-9cc0-65a526d75dca,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbd19e1-1c3f-4db5-873f-e2dc3e4b726c,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26310224-bba8-4c96-ab5f-c2b177f4dc2d,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42e160b7-c92e-424d-a719-291a2ced7471,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdc62095-1da6-441b-bcf0-6c1022f0e9a6,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be2062c1-ca51-4def-946b-0c3b3b6a2836,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bc0cc81-dd99-49a7-a77d-8e0e8a001635,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22b75703-9c92-401d-a8ba-b3521c03d8b8,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11e450a1-faa3-4fbd-b1da-2bd93b3b3c06,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26ebb291-f6bd-4d24-b113-09929f121c25,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f87cbe4-b5fa-4351-8179-a997b7b41d46,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba5606b-8644-4fae-a364-cb1099b83b12,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0b891a5-4892-4051-a42e-c8e524b9b3da,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a823520c-4172-494e-8c3b-a4cc9572c165,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5297b195-6c98-48fe-b93b-10d4752a3ac6,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3eab533-4d7c-4626-934b-18856af27789,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,970cb64b-2172-4905-8181-d9159a9886b4,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,817fbe66-a302-4f7e-a869-ed7536e97427,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5beb91d8-f333-467c-8a03-0a2533d0af6a,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f07eba22-0bc0-4b33-98d1-0e28ca0833ce,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93d75d9a-b3e8-4753-88d5-e931805beb93,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff811107-a533-4e16-ba4c-691c4d2b3ba5,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\MULETTO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d86c269d-8c42-4da2-a04c-37927a23687e,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ce7bfd-2880-4f6d-a02a-e2840dfcd393,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9589952c-2dfa-41ce-bf72-59f2abe9bef6,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\DATA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcbd8eaf-9b2d-49c3-81a7-4fa32d4ef7e6,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3de97a19-001d-4700-b42b-69ecbaee2200,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b00b570-4eeb-44cc-b6c2-9edc8fb9c297,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fe31743-1e8b-46b2-9ada-c055470e8b49,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,404409dc-c4a7-4eb9-9bb7-eae4c7c6130d,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd4c9fee-41ea-4a34-97f1-e78af4a1b4a5,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9565dd7-4dd2-48a8-8abf-719d9dd1cb5b,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5621a918-764e-4a6d-ab6e-090f0bcb79a2,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\EYY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dee44ac3-79fa-44e7-8764-ed062bdc5828,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba88a2a8-9937-447f-ad49-742011473475,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7740b2b2-2891-4bbd-94ae-23b5515c2adc,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,857537bc-85b1-4da7-9c7b-383c4b72bbc8,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0261625-bfd9-4667-bf5a-2e9a6531c057,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f9b0461-dea3-4f6c-a9a0-43cab4928caf,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf4aa3eb-5fed-459d-a54a-c6776585f913,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6355241b-9998-472e-8d8d-9b49c770972d,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c44ca7e5-2d6d-431d-837c-445ca9f75a7e,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ad97758-34cd-4636-ae51-e67b64f353c4,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73ef332a-b9c8-4771-90bf-dab318afdc3b,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdd31bf9-5aa5-48e2-9d00-401a289406e7,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da624d2d-82fc-4be3-993d-dd4aaff857be,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ecf4ed8-8ce5-436a-ac45-7063704a9097,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bdb8caa-a090-407e-99a9-bbc1596aa1a2,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9857acc6-1cdb-4b36-87bb-1496a8249474,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af7132aa-9e0e-431d-b843-d28da3b59c47,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eec41e7-864d-4139-a900-368db151a995,"4/16/2021, 8:43:49.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fb35dc2-eef9-4d50-80c6-4d8d419542be,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 8260 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f48e39f-bd8e-4f33-9223-05781fc5e29c,"4/16/2021, 8:43:49.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f02c8f99-9549-4b5d-a33d-5554155a80d8,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92df5a88-bc8a-4977-8b74-7fc2a2876355,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d25103eb-7c54-497a-9f53-172e52be1e01,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2f3424a-c6cf-4fe6-8040-cbd38bffdea3,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1be6e12c-42ce-4ac9-a073-f08518d124b7,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a049373b-e0b1-41fe-9b58-abe07bad591b,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a81fabe7-ef2e-4fa3-8326-6eaa1efeb355,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539f4785-850d-4bf1-8c84-ce28c7233f68,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a90ef961-4067-4130-957c-25e2e3364d40,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,438b2a76-d82e-435b-9ecb-c3a334ebd5ab,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd114cfc-18ff-424e-b358-2e35ba48e964,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff451f74-8756-42e8-813b-63438259aeed,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b3f5039-904c-407a-a146-2b4484b4a4e5,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4431b13a-b509-419e-8201-534d0b93c01c,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5affc4d8-88db-4da2-b027-b7b4d6cd23e8,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,041f49ac-c1df-476f-bdb4-36e8d6452f4b,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b79098a5-891e-4fc0-b7a4-eb2d6e2ac7f0,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d8d917-23a7-49c9-a143-66a32e40737b,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8356 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b10df299-698e-41d1-b326-a39e02b30882,"4/16/2021, 8:43:49.321 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1f82302c-1f2a-4fab-9ecb-86e76dbee482,"4/16/2021, 8:43:49.321 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5704 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,565be31b-82dd-4e3e-ba79-73c9dc641c48,"4/16/2021, 8:43:49.321 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7828 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4686d62f-dc85-4f6a-ad28-abac0a5aa006,"4/16/2021, 8:43:49.321 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84c304ac-358a-4d8a-b0db-5faaac59a6fa,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d919c3ac-fa2b-4eaf-99eb-9dd3657ee375,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4362bd1d-f9b9-4f61-a0d2-bdfea71491e3,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d84f0bc6-c5b5-4306-946e-40d7cbb9c86d,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-503 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,559f434a-176d-4dd2-ab6e-ab93ae4e8232,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-501 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f65a999-dad5-4319-8985-4b1a9f053320,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-504 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c21bcbb-f82e-439a-8bf2-2c2e8698570c,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1853aa25-c11f-4568-ab56-0a1224eb5ebd,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9fe1dd25-524c-480f-8334-b2405a0eace4,"4/16/2021, 8:43:51.863 AM",,,,,,0x0, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c73ad341-4d6b-4ad4-95e3-1cff9330e157,"4/16/2021, 8:43:51.863 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2988 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\Windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e7c710d8-1d2c-4e4e-ac46-936fb3ff8f7d,"4/16/2021, 8:43:51.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8f0279d2-5a4a-4990-8b5d-66df3631f0c3,"4/16/2021, 8:43:51.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,46a4da64-3caf-4ce4-8775-22768bdf844d,"4/16/2021, 8:43:51.863 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cf4da72f-55b4-4768-9f53-72fc389716ad,"4/16/2021, 8:43:51.863 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6e717a18-2cfa-44b9-a389-06d99b837b87,"4/16/2021, 8:43:51.863 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f3c6b2ef-f68f-48fe-b4f8-5592b92a97fe,"4/16/2021, 8:43:51.863 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216d056e-2980-4da1-8474-68158d169b02,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5991ad8d-8644-416d-9b2b-61dd83fdc34a,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8df09221-b5ac-4a6b-9201-3267869d836e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,811fd72d-ddf3-4449-9f7c-639c44e44fe2,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,addf483e-5cdd-439d-a68d-23b685c30f31,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b836d370-1008-4957-8e39-204084cb7242,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc2c0db-487f-4ef8-87f2-97ac75e15d5b,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03959060-fa4f-4fa5-8a1b-21aff7c507c8,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28a611b4-75ab-49a1-9645-0a5bcce062e0,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8941c829-ea25-43b6-aaca-8d8b5c36f908,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,730efac7-b434-48f7-b2fc-f21c2cf83a57,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ca2d0b7-d086-4b39-9bfb-4107b30b50da,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db5dfa96-df5c-4f79-a448-3950bfd0085e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee476dbf-7861-478a-95ef-227205a6ebff,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4f64d8b-43ee-4610-89ef-d8dd79ae5f7e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ed8b4e-c75a-4e02-9ff1-0f94f568a220,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd58a618-5ec9-4c8b-9036-1a1b25516a47,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edf8ed26-5d34-459b-ab7c-88accc4fa62d,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4e8c0d3-dbb2-4522-94a5-e96b14c8aed8,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2fceaa7-2061-43bf-b5c8-542b6812c192,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b2bfec-8378-4e47-b3e9-761591d94dcf,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48779e43-6e09-4955-a14d-ea3e6d676668,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3278d9db-2b43-4e52-8254-27735bcf7d8b,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1003a96a-4cf6-44bd-bbdb-9017603ed13e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a42790f3-0ac8-475a-a7b1-fe3097afeae8,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,824ac432-5f0e-40ca-973b-6ec9f21f8b39,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,288f212a-aac9-4631-a745-259cd1e10823,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9f498d-d4b0-4d2f-9c78-6b365d9e5a9c,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a08a99ab-a2b2-4768-b89b-fbb094e8167c,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce982485-4767-4fc9-afae-4774e30bc530,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,540af7b0-5e8a-465e-a948-1fdfbaf95c2a,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,05a9111b-9edd-49a5-8651-da269afcfd47,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7084 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4fa7d2c7-7763-464b-afdb-98151681a77c,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c1d4f282-670c-463d-a589-40eb205caaff,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a7989b64-5a9e-4833-9a12-5a8e4ce04f51,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2896 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42c97bd6-2665-47b9-937a-b54abb02fcad,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,783414c9-5659-41db-bfb2-1859215f212a,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39052360-6b2b-49db-b6f0-57c1c42d47f4,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a8e64bbd-9a2e-4caa-b0bc-396168f29a92,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4620 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5cb383ca-c903-4458-855d-c5822b5697bb,"4/16/2021, 8:51:46.761 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,450f2795-d12a-403e-89b0-129f1b074b76,"4/16/2021, 8:51:46.761 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ea816216-ceeb-4c3f-a4af-eef5ba031d70,"4/16/2021, 8:51:46.761 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0771d4f6-25a0-4065-8ffd-e2623c20cf47,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cce72214-58d2-4c7a-9253-3523ca89027a,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d07c1ad-e6cf-4dfc-920d-661d13e3fdb2,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,335e367f-8152-4b49-8c98-0224ca5f1fef,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c0cf9c6-2bd6-40d4-8240-5d0deb407642,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e5d2115-eac6-45a8-bfbc-7dca37893bcf,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,391ef2bb-9190-448c-9637-4e297f382833,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3fe039d-4259-44ea-988c-77ef5948a035,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1905c32-a709-4190-9016-4d8c4a23e8bb,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\TPV1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a3af64a-c7fa-4f9e-98cf-f5ab1c4124ef,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6169bf2-e363-4bd3-b4c0-2803849573a6,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ae6ef0b-9e13-4392-b776-2b2b0c8c60d0,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d600c536-e431-4d3d-9636-042b90a5ad07,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,725638c4-5697-4b23-a061-a72a4928f6f3,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49721529-a377-4a0f-b65a-5d623f1a4a96,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb5c063f-85a5-4558-b987-d0f6952f861b,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b52f3d93-15ac-4c1c-802a-bbdd42ae8d8f,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4282a29c-0f94-4a20-b51a-506f77cda137,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a540aae8-7f17-4b63-a370-7b8438febf30,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfd2988a-0e8e-40e3-9a57-66a7a678fb06,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,680f06ce-5239-4af4-97e9-4adcc5eb0da4,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e1927a8-5821-4a83-8389-1fbe0910ad7d,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab7709af-0463-4b39-9701-c86965dcbee7,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d3720de-dc3e-4b9c-b486-ec33a97d0f74,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ec9372ce-597c-4106-a080-3d373a19a65a,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,067cf272-afda-4866-a850-bae32efd2616,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ff7bcec-7b9e-4f14-b289-92139d0781a6,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d5faa8e-5c3d-4e37-a6f7-bac15ae7886a,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,425127b1-6004-460b-a4ac-fb29c9031309,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f83c587c-1ccc-4b43-a0be-509bb10fb17e,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fa8baf16-6a8b-4410-abd2-44725af86b0a,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8271b490-83eb-4620-9c62-55648c17cbd5,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,814305f0-478d-4619-b0dc-ae8a2f4583f5,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a0f43217-868b-4f53-ac72-74ed4c96d2e2,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6e0d4811-affb-43b1-ae49-a6c0225ac19e,"4/16/2021, 8:54:24.054 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c0a5b56e-7a59-4e1e-9aa3-b0d877bc6652,"4/16/2021, 8:43:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d986e69b-58b5-4bb5-a5f5-a8551eec0a01,"4/16/2021, 8:43:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a984ac0a-0fe2-4882-886d-b575ac7e5653,"4/16/2021, 8:43:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3064 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2c38652f-dcf4-4aa2-96c4-0d03017fb99e,"4/16/2021, 8:43:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0ac2656f-a2cb-44ed-8542-7ac3af6ac8ca,"4/16/2021, 8:43:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1e4f376b-6ea4-4a06-a893-512be80e9e29,"4/16/2021, 8:43:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9984 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a2a08b20-e33b-4df3-9555-d8e12896a9e8,"4/16/2021, 8:43:56.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2180 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f87a221f-257d-4af2-becd-acbaf23433c5,"4/16/2021, 8:43:56.992 AM",,,,,,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f44f052-1f18-4472-9714-c56026dc8a45,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0667b819-374d-4c58-ab4a-977a49becae4,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5a457203-97fe-40b7-bd39-4428ac74a25d,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,51bddcd0-79c9-42d2-bb8e-bdff906ae6d4,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,350bd875-780d-48bd-9c84-49fb37a5b5ae,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2fcf3e4a-aac9-452d-8014-85c4fa69ebda,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f27f5f96-aa71-48fc-b60c-bf3d78b414be,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5514f6db-de80-4bc3-9577-098c6b06d59c,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d96ca81-0774-4287-825c-377084111e69,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,217cabfd-8ed8-4a60-bfcc-235b0f671b05,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d18229f-313a-40f9-925a-079a1d063959,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0714acfb-6015-496f-a6d7-f11a7193404e,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d2064102-d615-4324-a7b0-98834eb93488,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e11b873b-4a8d-4052-81de-d3cf433c82f1,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,31f97c86-36d6-4eca-93bd-1587a6ad6b82,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0fd4597c-5c6e-4efb-9faa-4213b83f0a34,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0820655c-9b27-4e7a-9f47-1cfaebe8244f,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12934b44-1387-4a4b-b9eb-12f3d8f2cc65,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,87e9d2b7-53c3-47e5-a51a-7d214fe7af2e,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4c4f31eb-0b20-4de3-a1e5-92961b67ea55,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cfa80f43-44a0-487d-9d13-a9a9861fa7a2,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1ae1b303-54f5-4e59-9de2-3bf9a9d60bf4,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b3d8ab8-ca5c-45b2-95c9-5b56b4546903,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5d00e12b-6b02-4a4d-80c0-4152ca984cc6,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8730a731-04c7-4e81-8c0c-a37c8fadf95c,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,988915c8-ae89-4b05-b6ca-226b52cdd72b,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,332605fe-0aaa-4674-a561-441bc3d6cef8,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a9c2bde-825e-40d1-a26a-855c42bc7f94,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cc313ad-deed-431a-926c-ea8cdcaeccce,"4/16/2021, 8:43:59.418 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7224 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eb941370-2d97-421a-b2f6-6e0b213a2179,"4/16/2021, 8:43:59.418 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cb384fde-d8c5-4125-9dee-d6964a92977b,"4/16/2021, 8:44:08.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cb7a0c8f-f415-402e-a9b1-9e26cc66a801,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78619ce7-4929-46e6-9989-0b748cfc296c,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e0b9aa8d-b4cb-4baa-9c7f-15b585bf02b1,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3005e81e-3a31-410f-9e7b-e641565995b2,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e2a7b494-8562-4746-973f-ec27e22ce08f,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e97e5d1e-e274-4ace-9634-8cae5e8fb78d,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd108b69-c119-4fae-b290-687b21830672,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,beb013d6-ee8f-487c-bf47-8b9335ac5185,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c372869-bfae-41a7-9fbc-30c4ae1828dd,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,074a2b16-bef2-46ee-abd7-e55677117879,"4/16/2021, 8:44:08.048 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8936 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5bc03843-1bbe-4816-b417-60db36a86171,"4/16/2021, 8:44:08.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ab58512-03d4-44c3-953d-9033bf1e0c0a,"4/16/2021, 8:44:08.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f53cab1-d488-4c81-8340-c4c3c01cd85c,"4/16/2021, 8:44:08.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10556 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebd7914f-7dbb-4cdd-a541-ad1028fc370a,"4/16/2021, 8:44:08.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 21 + %SYSTEM32%\WERMGR.EXE + 32 + A755A5ACC9A49F7587EBF7F27E60D1D61F3ACBA2C7556A72D74F329073408C7D + 114 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WERMGR\10.0.18362.1474 + 0x3e7 + 30 + C:\windows\system32\wermgr.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4aef179e-b1ce-4016-b9bb-a3d5854995b1,"4/16/2021, 8:44:08.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,609720aa-09a5-4d01-8357-fdd4155a938f,"4/16/2021, 8:44:08.534 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,746cabaa-4e23-4bd0-916f-d004f0944f48,"4/16/2021, 8:44:08.534 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9c04ebf-2207-4ae9-80ad-f7692a51c290,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b8612ab0-6557-44c0-b07d-0d79eba37f44,"4/16/2021, 8:55:03.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,75e6b891-a811-48db-8bb2-0c2d5a4ad3a0,"4/16/2021, 8:55:03.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5d269483-b613-4555-ad18-f0ac4657519c,"4/16/2021, 8:55:03.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,45a4cfae-9773-41fa-92e3-6e7b793dba44,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b242b2cd-a972-4e7b-aeb0-0e8236bb3878,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14edfd26-ce8b-4262-b96d-d0e1639561df,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0dfea799-78b4-4359-a4b8-63ebacf2bb5f,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9920dcb-5cf6-480a-8c93-2420f3fb683c,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4eeaad39-e27f-411a-b058-c3b48b0705a4,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2df87c1a-b67f-4b31-a7c6-8ed45907c586,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,83dffb21-707b-4909-ac43-22fe9287ccb7,"4/16/2021, 8:55:03.057 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1400 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,04603982-e4ea-44f1-9fbc-e4240c62119a,"4/16/2021, 8:58:09.938 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4944 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f1f876c-c066-4aee-b7ca-c17b5b444620,"4/16/2021, 8:58:09.938 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2f5f0644-6870-4584-9588-f280993978b6,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,865f76eb-241b-4617-accd-cff854e35ae8,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,68c35f3c-4521-4650-92ce-78f8e57b3554,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8fee0628-a328-41c9-b615-f2511d161ee3,"4/16/2021, 8:58:09.938 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,56ee519a-a57c-4ea6-a6cf-8c986ab1c46b,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a8499790-54c6-418c-968f-11abcf9ae027,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,351b3fd2-4303-499b-98c7-a8cfb41b4c7f,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d12a0e8-207a-4d4a-a8ec-e3198855cdd3,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,174fd110-ecc2-49f4-a6bd-2c75482411be,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d20b6666-f8c9-4a3d-ab6d-ef3fbf4e82de,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7a75eca5-f3a4-44bd-962f-ce47e478493b,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0eec8eca-94c1-4b30-999c-5c731adb44c2,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a44d596a-b0d3-4842-89f0-2ea1c3960135,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3a0a2413-1550-4712-a5b4-1f8f5d9d1ee2,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ea33a65f-b11a-4bfe-a5bb-c8a7e194aa51,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ec901f0d-db26-43d6-8e49-202701593517,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1aa68e84-23fb-4db3-935c-aaa0b8af3135,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,76400ea6-0663-4c08-bfff-7e7d1ca303f1,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c98d2c2b-ae63-45b7-8faa-977b1ebadb84,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,07b2af58-24a5-4a4c-b23e-3ba9e31eaaba,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8bfc9473-877d-4df4-8371-ee6928b7a6f1,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,915b1ee5-afba-434d-8f9d-ac50ea9b16f2,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9c58cafd-2af9-4895-be7a-fd7db9cc9c07,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cb1ad798-518c-4f90-99ab-888c291069ed,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,56de3180-8073-46a7-a235-5514cf82e03b,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1946bc80-f389-4490-a007-f6ff45255f65,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eca0ed25-cf61-4a8f-89b7-bbef86b47172,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7d666e6e-402e-4a64-aa70-84a8ecc5bcdd,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c35c3835-4909-49dd-b32b-cfcb17af9e1d,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df14ca82-039e-46e9-a6cc-90ae14aa4c0f,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acddd2aa-ff41-436c-86ae-79877ed5f364,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e64f799-729f-4aff-bd0f-42c0d1a56e6b,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c701bc8b-7065-4a5a-bccb-a8187bff0671,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cb84519-9271-492f-aa72-ea15737ad645,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8eff92bc-d0fa-4027-9373-b6f0150f3859,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aac82275-9787-4118-8611-615145d28efb,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15f16051-3d2a-4d17-a672-d324ea0261db,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02e23de7-3d71-45e5-a756-cc816414b3af,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e217273c-2c05-4439-82ce-6c39b4e2ff4e,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7314f99b-3aec-4c07-8e43-9f8e0543e77b,"4/16/2021, 8:44:09.604 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30cd9557-66ba-4681-ae43-ef4dc62389e8,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd03f36b-b96d-492b-9117-6f3c9a94a49c,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c89cc35-0250-4aa5-8d0e-de9bc3b47446,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92fc482b-28ed-430b-9867-a3eb886592b4,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b57325ea-4bf5-4864-b773-0e2301de7b38,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af7bb817-e000-4860-b286-c7635acc84d7,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ceb52bd1-c5ea-42fd-b93c-f8c8454b04a4,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e34932ca-05b0-4143-94b0-5b74062c629b,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b61e0c81-dd0b-4952-99a6-02d09a162f12,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dcb0861-4da0-4c74-9ec9-b2ef1b080187,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67ce5b6d-651d-4a36-b193-55244308be0a,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ecba86-8ef4-4f31-b161-92616ecf4486,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adcce357-22f7-44d1-9159-adcec3d074f7,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e4ff92fe-f2bf-40b0-90f3-834fd2aa3512,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4616 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5d1aeda-b95e-4b54-b9a4-232c29590a2e,"4/16/2021, 8:51:57.658 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,425f54d1-7ed2-43be-ac9f-db257ce770ba,"4/16/2021, 8:51:57.658 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fb14e28a-cff0-4ea8-8e5e-50793b6ae1f1,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10732 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1299\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 96 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\1299\pmfexe.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3111c9bb-1d6a-462b-aca9-6c2d0b055674,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9440 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,525f136c-d0e5-4c52-b1e9-885040ad6b98,"4/16/2021, 8:51:57.658 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c816ccdd-65c5-4520-951c-4e095eebbff1,"4/16/2021, 8:51:57.658 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,34a0f1ff-e9e3-433d-8512-feba00e6c166,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7032 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,054487c0-0aaa-47f7-90f2-5cccd22febee,"4/16/2021, 8:44:12.103 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7728 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc6181cd-676a-420f-9e12-60e11f918bb2,"4/16/2021, 8:44:12.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d216e68-03fd-4cbd-8c47-0a8fb5dcdcea,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,572bceb2-d8c9-459f-9b08-3d087d29e435,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b682ac0e-1ec3-421c-b310-151af902d51e,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbcabbe3-c0b1-49a0-8b98-54ac7eff536f,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a60d177e-4a52-4bf7-ba10-f95532da1821,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4229ee43-8438-431a-86f3-f8515ff0f31c,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c2a2b28-8320-4fb6-8c7b-a97b37b3c593,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c50261d-63bd-43ed-8ab2-652c17294693,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b764bf-8bd1-4ded-99ee-663106da2ee3,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af5fbddb-0b36-4436-9c7e-b706780fa1f0,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15244616-bb37-4f8f-8e16-7dab1a37be75,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e6a5238-c491-48c3-9959-729d2da89a29,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0aeda75-b0b7-4623-b6df-defaeacf3f37,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd0d6c8c-b11b-43be-bcdb-88603333b9bc,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9a888b2-ed76-4c8d-8fae-768ef5bb79c1,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f808f0c-707e-4a0e-af74-35e41a206b54,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45250490-ddc4-4987-8217-2fff67a79f34,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626bcb8e-40ad-43c6-891c-a848989f83f5,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b321395a-ad65-4d85-a55e-0cb43d438432,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78cd6999-4b80-4b59-9654-8ada32dda02e,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35829ed0-5b71-4aff-b6cf-9a6300d1dbc4,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f43ae9f-2cf4-483c-a415-25ec9ebdd54c,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b6ca8c-0bd3-4402-ab6a-88d009a6099a,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1652d169-0b51-498e-9a6d-cc88f5a35131,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d2379fd-56e2-450f-9181-2d954dbe9a76,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81cc4095-e0fd-4e40-9883-aab983e9a4cf,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87198ab8-fef4-4785-a622-8aae6658aa0b,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca24c7d7-f2a2-4d80-a918-ced27025176e,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e94a0348-22db-48f4-a610-91b5616d8b06,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3b22004-971e-48c3-a9e2-193075e61e04,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89ee73ef-6c6a-4b98-9a46-78a72d184bdd,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6da4c831-9ae2-43e8-9db6-6077172dc3b0,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b4870bd-71ac-4e45-a7f6-cc966e825694,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bd6c538-9b96-4436-b656-9ea957912542,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5f84332-6d15-4556-aa95-f9f05c63844e,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17faaacc-435d-4825-b1ea-a9fdf72efa6e,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bfac935-8384-4134-adf4-68ff616c4ee2,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8ad862d-d34c-43f9-9090-a5185cf45a81,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\KEVIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89c5f6db-44f6-4ac0-ba4b-dbf7bc83db29,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e13b6721-4484-409d-af1e-06f5231ad0ee,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318319da-dc2b-49f8-bc4d-2fb36db0dacf,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fd1ad94-6966-4da3-846d-a87610d9cfb9,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7032defc-23de-41ba-8946-2e183b5ef15d,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f29d6c8d-f0c7-48be-9224-9e07bad0c666,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6764c21-91c3-44d6-90b3-c01624316eef,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fac9412-532c-4930-a628-69dffd86bd27,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72e47cf1-352e-4ef9-a0c9-3c727c5a34f1,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7870b61-2773-492f-b719-661682df959e,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd064285-d45c-4200-a151-f4a333434e76,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac3c629c-cd7f-41b1-8b81-67d2fb040359,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91ab3283-dd20-44a2-92a2-23adba85917c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0662c3ba-b814-451a-b057-0cd4ec970429,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,982113c0-656b-46b6-b6c9-565d802e62f6,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53ff9d8d-ecc9-4489-b922-6f5bff7718ca,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f51a350-958e-4921-9201-1d4b4a6660d9,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c73f63e-2917-4e6e-aa40-5dbd76a2e2af,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\VBHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e67ded1-c90f-4a2b-a37f-ad3b4646c10c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1cc9f1-227b-47cc-863f-47699dd8c30c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fef0f741-ad14-40d8-a3c4-a944db4adc15,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e970e2bb-9e80-4fc9-8c0d-f5875126e81f,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5304212a-c13c-4144-8e4d-f21e5ed9ed1c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,178f32ac-2ee4-4e41-9519-7255c25a7ad7,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,851a1ee3-dcd2-4966-a0dd-d6e3e4b71206,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01b6b1f5-2ac0-45d8-9a73-c8bd9366074a,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c84df7d-552f-4572-b277-de0e5200e072,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,841b185e-cc3a-41c7-a41e-c64a4f9cc601,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c97f661-a77e-4c43-aa76-36c5fa6cb90c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\AJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5de029ab-6227-4557-89b6-ae1788f7e597,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b3968c6e-57fa-4cb8-a3eb-84dd13bfc8fd,"4/16/2021, 8:44:26.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2612 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4ac1ec74-6cf1-4ee4-9e90-9f6ee0a10300,"4/16/2021, 8:44:26.856 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,0ff370af-7d4d-4396-95e7-dfdcaddb7711,"4/16/2021, 8:44:26.856 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,244fdff8-eec1-4b77-ab4d-07919f18b8b8,"4/16/2021, 8:44:26.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7772 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,61969c54-45a1-4c6c-a9c7-269e270df387,"4/16/2021, 8:44:26.856 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48c66a25-5e85-477f-8a9b-d31e51fe599d,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3348f62-3478-4bcd-82db-61214c560e89,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a5aa6ca-836c-4fc9-87ef-2d0c3f7a7ee7,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd80b639-2356-4b98-95a6-2f53d6821448,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,151aa36b-57db-41d3-bc64-2a47049de093,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,985f6f7a-0e3e-4efc-b2aa-ebda8dde8ff0,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32111d45-6990-4b9f-abe8-be457dab92b4,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7ede1f3-e8e6-4ec8-9c7a-787640fd335b,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ec65431-318a-49bd-8be9-f73316361d70,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa5afe12-e48a-4e63-a5e8-08a7326f0bce,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4892868d-b1aa-4725-b2ce-facfee06b1a1,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,037c1e58-c381-4a3b-adc6-48e792e26bb4,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47ae8279-7573-48e5-a6bb-cf8d29e12db6,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f61c0b29-1f81-43ad-922a-cb0a01d5a5f1,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a91bc5f-cab4-4c01-a835-a8421b8db5fb,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72b9d40f-ee62-42fc-9d50-affedc2ab229,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7be25b5-ec50-495d-96a0-5ecf96521b01,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f033a108-b9ef-4eb6-9134-0d5239bd00ed,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fdd9f96-636f-478f-992d-2c37c4d2abdb,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34ca4fd9-0253-417e-83c0-70d0bcfde62f,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,176181c8-c1d7-42b5-86ae-83df9fa3f9bc,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b67adc32-f895-43de-a0c5-68a3c1aaae5f,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e35f996-b534-4bd9-a601-19fb33576aff,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91d16db0-da78-45c8-b53e-61d5142d51ea,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e01af0ff-63cf-4860-9392-5bb0135ee9ee,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c706b341-ec32-4955-8e8c-be3a4deef772,"4/16/2021, 8:55:09.858 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a880d369-8dd4-40d4-82bc-8c17a97762e5,"4/16/2021, 8:55:09.858 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5488 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,67424163-2491-4a80-a314-2ed9bf7b72f8,"4/16/2021, 8:55:09.858 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d90a73b0-fd90-4ffe-8cd1-b96a8e32956c,"4/16/2021, 8:55:09.858 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,833fedef-7161-4f58-9c36-b324164256fc,"4/16/2021, 8:55:09.858 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80638046-dec5-43bd-8f80-b6cc3e75b2f0,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eced67b-1853-4aba-97c6-e4c49815a21d,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec079d7-82fe-4f07-a35e-b70dbd4955f5,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82b244e-d343-4909-92e9-4bddabf341af,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c9de9d8-4726-4dbb-9d4e-36b4427c54b5,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80d68ce-3e02-4f1a-ab34-e1f5ff5746b3,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a759dd22-34ba-4af1-820b-74418b91b716,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec0c5cf7-6ed9-4439-8f70-369aa92cb794,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47aadc12-e596-4ad1-a02f-3e7e02065900,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80171d85-efaa-4002-b0b5-406f70deeacd,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df4bdf95-fe4b-49b1-a21a-a604acd9d3fb,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f678db0-d9b2-4c9b-877d-fd09dde8bc9d,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c9d282-d9ec-449b-a028-42b03754f513,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b47e8f32-1f5d-4cc8-975c-01f9a8e1e55b,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,695e2bd4-cf99-416d-8280-fa28eeed8caf,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45711359-6367-4ece-8020-1a907843a928,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b2ffc0-ac9d-4751-ab52-c5eb744ae837,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d68da32-c913-4174-8d2a-a40eb224601e,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,462c6b1a-53c3-4d6b-85fe-863fc668a9b9,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,481ee658-5d90-4162-bc4c-de3bafba78dd,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,110ade64-3d06-4ed8-8d45-e2c0a2d55923,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,e0016d2a-d852-4368-aa39-bffeefb7944e,"4/16/2021, 8:44:32.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82b30e6-60f6-488c-b1e9-68b992fde343,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a06dc75-afd7-4a47-9df9-622f02b7cf24,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23f0dd76-217e-4e79-8cbf-5499362905fe,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d07e8b-5104-475b-824d-b12abdc34607,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + TrustedVMDemo$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-18T16:11:58Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 844424930140027 + 2988 + 740 + 0 + TrustedVMDemo +",4702,4702 - A scheduled task was updated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,db861031-1d7b-4c95-81de-08b1b1286406,"4/16/2021, 8:44:29.848 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efbe7372-0357-42c9-b9ed-7e0ec7ca6320,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d64aa65-80b5-47e7-8f46-4a8e0c40a18d,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b3df6ff-5919-42d0-8118-ddaecee9c9ad,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eed77931-cc97-47ec-afd9-ae4e366e26c3,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fad2b039-d18f-434d-871b-d6bb5c8b164f,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2bf40d6-ec8f-4a27-8de2-52072c90b6f4,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e14e507-c7ec-42ba-a1ad-452e4dd22bd3,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7a9794b-13ee-4e80-8b07-aa528af1e3e5,"4/16/2021, 8:52:02.788 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9027b5ce-13cc-4b13-a81c-8580ffa0cb52,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7782fe9-141d-47d3-a1ee-aadfb6e31a88,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,881898a0-8b30-4825-b50c-1f8708c7b7a3,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b108739-7f3a-4a58-913d-37667ead2a0f,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77c9a909-7c4a-42ec-b8df-1b8673f365dd,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0aa60687-58c0-4ccd-a816-8c7d38c8cdae,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,002d44fb-b853-4804-976d-0a0b45ad03b7,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e3f40e1-f723-435e-a65f-132714184c33,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70db8479-486e-48cb-9510-fc10cbfec4e0,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81b47800-6925-4f78-b8a1-cc2faeb23dda,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38e129bd-f860-45bf-8232-b7f48f5b6b9a,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29875784-c505-4a13-bcd7-2c5ea53838b7,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2965674-0c7c-4b70-b742-d8d381b74b1b,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64d743f5-4fff-45fb-9a92-265c8e71983c,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a291e4d9-bdab-4d49-aa78-b5af57d9bf73,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b457fae-173a-4f75-968a-8c0751626a97,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ce571cf-dbc3-48f7-bcf1-5ef61a815f08,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c4028d0-8a7e-4392-8078-7991e52f8abb,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\FJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e428ed0-6514-437a-9ba5-7e9d315cd1ea,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83001843-65de-46d5-8a60-692f7cb94780,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1489c49-402e-4d0c-8372-472766fa0407,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba8d96b4-46c5-4b9a-a7c6-b580cc8d641e,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78dcbc7-f118-4a29-93ed-11c0f03e693d,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e858fd14-e394-4ba0-b3e6-9ed4a5a23d46,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a09f93e1-9043-4c8f-919a-06e19901c00e,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13c9af4f-ca83-48ad-80bb-8ef1015d7180,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa468564-c2fb-4211-924b-ff0b96f52f8a,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f15bdd35-69ea-452d-b775-fa5f5b776f3f,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e204a3b-d2c1-4ac9-8a89-1aec09c1eaa6,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,453b6788-df38-4974-98e3-0e0b3375d168,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,326b35bf-895d-40ed-92cf-59ce4135f798,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ddffe75-05ae-47a6-a28d-185defff4aea,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7590c262-8bbb-4537-ba2b-1cbeef4c3e7b,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,427332b3-78d3-43da-9daf-2808cf1de257,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e8febca-a85b-44e0-a99b-2eb04fbc9c0c,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff96a5fb-e8fe-4978-801e-6a38b0cdbbef,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25bb2ed0-723e-406b-a42b-e999379f2192,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf937ad2-cc26-45c4-abaa-0a9ed2e2dd89,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c57e8fad-43f0-4c5f-9004-52d154d4830b,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f050e90c-d29d-4aa1-ac48-3bc8aeb321ac,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5872 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ffdf29b-beff-4fe1-8530-fa96a9cfe681,"4/16/2021, 8:44:37.434 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e5614f0-4c43-4c9f-9fa4-b86d2d43134f,"4/16/2021, 8:44:37.434 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,772d1b53-07dd-42fa-85b1-bd88075fe692,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2deb1dae-77e6-4961-8a8e-d6ed921df3da,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7740 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68d77640-728e-4597-bfb4-657531b88051,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6428 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a6b485f-b560-4d46-bef1-b071615eb1e7,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6492 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,906654ad-85ec-401a-844a-fa3dbf8c54d6,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aa5dbe7b-b016-47da-ab9b-6028aab77ee5,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb0f9273-41cc-4449-8a89-28b1599a2460,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a694fdcc-1120-4478-b79d-c88332e21754,"4/16/2021, 8:44:37.434 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,13e1012c-1463-4fc8-b18f-75fb360de00a,"4/16/2021, 8:44:37.434 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5814a03e-5d72-4b0b-95d1-841ad13ffb16,"4/16/2021, 8:44:37.434 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1982be2f-8ac2-40da-9b7a-5a9dae277e6f,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2272 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\Windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7cebf3f-0458-43e5-bec0-8827b86bced2,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,30dd2d10-1c67-4c9e-82d4-c2c49d1646a9,"4/16/2021, 8:44:37.434 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6288de4a-93e9-4791-ae8d-fd4d77c87c96,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8aa9f6f2-9c61-41a8-a41b-0645d30861d3,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a033983e-3b83-4150-af0b-bc178ab762fd,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8036 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,146a4f34-7cbc-4c94-a0ff-97fcc0271ca6,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2592 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4dea5b20-9ae6-4a00-a77e-f1ff33086e34,"4/16/2021, 8:44:37.434 AM",,,,,,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f0eb5814-fbb9-46dc-844f-762d41c7b0d3,"4/16/2021, 8:44:37.434 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3903bd73-ecdd-4f38-a210-742b739271ba,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,661296e5-b058-49d7-b992-185b581c8faf,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ebfbac0-1628-4a4b-a3c4-08bf6127922c,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b6aa37-e54b-40df-b285-50f7e7528311,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43c91a3-554e-4e15-8234-42a710599444,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d49d4d84-0092-4660-82cf-8583afeca871,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe98d38f-b9ab-4288-b26a-f06edbf41250,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08546e7a-3133-4da6-a694-a0c389865f5f,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da6ee05d-4e34-4f7e-80e4-694eec284eaa,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe29848b-2c6a-447c-8a6b-0e5cd8fbaced,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfac0cf8-89f2-43a1-9e16-1bd401344cf1,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5386478-7024-406e-852b-6e99affed631,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f2c390-8280-4b19-825d-0c8fc498d442,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb59ffbe-bc4c-47c3-b368-03189325a02b,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1457e204-c9c7-4cbb-a4f2-b455470f8c29,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3640877-f67a-44fb-8ab3-55c9d5a9b8fb,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50bdec2b-c075-4747-82a3-8eaa5e2ab7e5,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c615d3c-2949-4590-9c28-ef81443360b1,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,068f331e-e3d7-4db9-a518-c3bcaa7d4ed5,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d8169ff-42a3-4cc9-b966-5b710ebd428d,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b51b33-5eb6-42c1-8908-49a7df50ebd6,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a09eb62-fa01-4dd0-abe3-b57573762272,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91a344e5-47f6-4c0f-a2ea-d0cc80edd4db,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b61e8a91-2825-415b-831c-96260d829e66,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15611f6c-8c1d-45f2-931f-b468a5c6ef7a,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5da0da-5b90-4559-9cf9-327909e0b778,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42787010-ce02-41e9-9834-0e3b202df156,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,050c1576-5f89-4f84-bbd9-94a9e452bc27,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed8128bb-769a-4688-8199-a2e9d19bb929,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cac80c6-9cb9-40b8-a820-c6811754b969,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,745c6739-783f-433c-9dda-41b19ed6d550,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4f4b3e8-b515-4996-a2ea-c843480632f0,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aae1747a-066f-4071-b0cb-c9bf5085bd9f,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddec8166-9561-4978-965a-e833ba489259,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53907eb6-0d6c-41d0-82ec-45cfbdd1eff0,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,435f9a3b-9a3b-4df3-875b-e6969aaeabfc,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac1515a-0c70-4704-a047-1b92d3853421,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de0d192-9d2f-4d64-b944-ee143a0e3523,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a615a1fe-f107-428f-82d5-383d53496460,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dabe6692-ebc1-4edc-b1bc-82973808a65e,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78506a3d-7efa-4541-b1d0-1b4058391fd8,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eac1aca-1d84-40e9-aa71-192d136e7432,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cd780eb-0981-4602-93d8-7372bf359fe3,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1025adb-bcb6-4539-bf4a-a2127b5f1902,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f07a7a33-30e7-4feb-882d-223af27ca75f,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4745b196-b323-471e-86f4-16ff39f83376,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c1979024-aaf2-4975-a3d5-cac3d7cd497f,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6cd650b3-d819-4c9c-8089-e7347e5746bd,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,92e6d821-677e-4a23-8cb0-d287e6667aa1,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5693323a-aa04-4d58-a1a9-0ff9df8dee87,"4/16/2021, 8:44:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5b065f24-e781-4d39-ac02-10d0a5373634,"4/16/2021, 8:44:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5a24959b-4114-4938-9e3c-81eb27acf954,"4/16/2021, 8:44:43.048 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2901c26-f98b-4bf0-b3fe-c6a4de520054,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1efd5110-fdf4-45ce-9d78-b3d133b1b5c0,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8341f9a-5eed-4a6c-8195-124d28affa8e,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\AALZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc2484e4-54a8-4f61-886c-06e74136211a,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,625333df-4d91-41cd-a2cd-1a7e3a5aee4f,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fda18cfc-55c1-4898-8910-04eae32d47d1,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da21a598-7ddf-4bcd-8a2f-940e41f1bceb,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\JOUNITO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f577311-7748-40ee-8c18-f541d31519af,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b782f411-8451-4807-b299-09e07b5add24,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94c96e39-d589-432e-8dde-0e38166566a0,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6de8dd1a-3756-43ab-ada3-e89d0b1621b1,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,931124e5-6937-4c39-9455-d1e3df641232,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9d351bd-83dc-4c78-b24d-f4ca420ef12a,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2575341-e1f3-4f83-89e2-e1394db53845,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,218985cf-af63-4214-b018-41381ae6906b,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a5909b4-5989-4ef7-82d3-ed82f62c664c,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a555870-f39b-46f4-a1aa-d3cd9fca1ef9,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,358713eb-98da-4743-a254-a25d4ee11130,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d5ad6f-6d75-443c-9dc7-96da81e7da57,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62f83757-c35e-4469-b224-9caea8170655,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,700f5b42-8fa3-4f41-87cc-5e50179a0240,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d629747e-a20e-45c2-9bcc-b47273b577b5,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e90850a3-77bb-442f-9805-a2895b0b9893,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4f0d73c-7b97-4557-bce8-410985ab9ba8,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ab995f6-382b-4a21-9edd-c6d95395e00a,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8461a903-a753-4c80-a56f-2565b90ef566,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bb31630-1d44-4341-acfc-8344b26e63c3,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2310eacb-9e41-4f93-910d-6efde272fb2d,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cf1e75-e400-419a-aafd-08c1c24189d0,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,791f9141-836d-4a29-a6b2-9fdf31b8033a,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9918ec9a-d574-4911-8820-df82dac78d8b,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2c942a3-49da-4e3b-93ad-66c49a45d3c4,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67c9940c-bcf7-4aee-afbc-c1afe3c4fdf3,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ac560b8-62c6-4aa4-8833-ae0054ef074f,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8d0f0a8-539d-4712-9ffd-7b8c7ff8ae5d,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c48aca-9e23-417f-8c79-22443cb24b58,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f01eace-bd24-49fe-ac2c-58fdf09f9977,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9627746-465a-43c3-88e2-fd5b3f996bd9,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9dd5e6a-6b65-495a-a227-d858d5e2e449,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c23eb53-3d6f-426c-bc88-245043176f06,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8581d5fd-49fe-4730-a4b8-916ee94f96c5,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa8fbe4-7d8d-41dd-830c-ea6646eff4da,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29faaa3a-5c29-4c2e-adaf-6d0b5582f0bd,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca5a292a-3afd-4c80-9125-9a43a0d2666c,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f6eeee3-3cf5-4b3d-9e42-039e12b210c7,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb79e3c2-bd0b-4921-91c4-be8cdc36f0c7,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad5e83b4-5780-45bc-8654-1d1f6fb782c6,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82bf566f-5e49-44f8-9623-94cf0133b731,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4f82ea0-990c-4ab2-ba03-e2a331731fc1,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,018e1734-6aae-48cd-991d-b564a60a1442,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,262e550b-99ee-4d93-bbc4-b35db8a357b3,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4f8ac9-3e08-47fd-b30c-4a47f19e07b1,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25c41cbe-5948-4d8b-9a0e-6609d1648dc3,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,789e7578-e6d3-47b3-99e7-8e543d89f6d9,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d8a9430-7fc8-4a18-968e-88fa4307bc3b,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,829d1aaf-fc13-400d-a07f-2bfd71a8b2fb,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\GUEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7ca7ebb-83cf-42ff-ad97-04bfbe4b0746,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f518ef7-7428-4159-bcc2-a824a39fe247,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5a55604-8969-445b-bf03-9b537bd5ba67,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eab6afd-88bf-47b5-a529-f20abbe60c45,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac11fea0-8ba1-427b-9bc3-5eae6dfed842,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f31ad4-840f-428d-a06e-9af0c9396fa7,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f774c105-4245-462e-84ca-8ad0ca00d22c,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68348020-8a17-4d72-a21b-534b7ccb6f8c,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e15e89b-1567-449b-a1fb-b691d6ae3b2f,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6575cc27-c4d7-450a-9162-dd34d4228077,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dbc2c1d-f0f5-4dee-a3b0-11fc84068b75,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dacdc023-9248-4151-a9ad-176fdd1f4440,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95a0b209-3e8c-4570-92a3-1f5d04bdf6df,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e14a5053-9b93-4ffc-924f-d950da99004a,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d0f30c0-f03b-45e9-8a5b-c8d2b049f9b7,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c9ced26-5ead-42bc-a699-6a0c348c1f09,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cc7a2a7-3eb5-45bf-b8c6-64c4e51b96f3,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,043ca8b6-95fa-4a77-bbc7-e969973499e1,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c10a213a-38bc-44c3-bc04-96afc1ea1ad4,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63495b25-2eaf-4646-91ad-9383ac5f0437,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd777dcf-8762-4ae9-bedf-cb27f1ecf866,"4/16/2021, 9:03:03.743 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be4fadb7-69fa-45f1-bd30-0594be1c9c25,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\MJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86bb4378-5f03-455c-b3fe-f3dc989a8fb1,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4c8e670-37e7-4509-a2b4-dc936651c6ab,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7966243-dbe3-48de-a00d-372a2f86716f,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ab11926-663c-445c-b2a7-03276feef9c0,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5016f6c8-bd29-426f-8e47-ab39228df05e,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f88184ce-75ac-4ffa-81ac-950d1a2766fa,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,007a9f77-708e-4bcf-ae75-0d9776e54326,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91acbf85-9a92-47e3-81aa-295685859a57,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b2c6ec7-bc4e-44ea-a5e4-3b9523f480ce,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ee50599-d24f-473b-9e83-2115a85b2954,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,105acde5-42cc-4189-9391-c493dc5b6be8,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c713c6cb-07fb-452d-bddf-77a55f3480db,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b4cf488-e7b2-42a6-8daf-e0db066204ee,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3df495a9-9637-4427-921d-436e6cd9c5aa,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1af82d7b-f8fd-4713-8502-854d86cce440,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25807db7-985a-489c-b7e3-76043b4865c5,"4/16/2021, 9:03:03.743 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1252ffc-7db9-42d6-ab40-3712c73f0906,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fa47670a-758f-40cb-af43-2484bbbef3c4,"4/16/2021, 8:44:49.268 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2ca97013-92fc-4bc1-8ade-321f409e368b,"4/16/2021, 8:44:49.268 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7100 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,04943ea6-b990-45ef-a283-94fe333248a0,"4/16/2021, 8:44:52.744 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ae8a6357-8c54-43b3-b793-d96cabafd3b8,"4/16/2021, 8:44:52.744 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bbb4d1db-d2bf-4047-a4be-f17c19432a17,"4/16/2021, 8:44:52.744 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5e94f7f6-1a07-4383-a3f6-39fed1c9b7c6,"4/16/2021, 8:44:52.744 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c09940c3-fa3e-422e-98d9-f012f3ebb429,"4/16/2021, 8:44:52.744 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,65f0106b-69e8-423e-839e-8b9f305e9776,"4/16/2021, 8:44:52.744 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78a8500a-41eb-490a-9b22-3c2e69be6334,"4/16/2021, 8:52:13.628 AM",,,,,,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d31b81a-6caf-4ca3-a996-8b5e6a20e8ca,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3fa84fb9-feb6-4d05-8aa3-76e4f6f11df4,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e663ed4e-9177-4ea2-8f4d-9c536d6a3677,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17e24e6e-9428-4aae-90d7-000285dda2b0,"4/16/2021, 8:52:13.628 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82dd9a4e-3219-485c-98c5-3b247aee4f27,"4/16/2021, 8:52:13.628 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4a8fdfc-1d89-42d8-8e43-84e5ca81158e,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dfddb91-627c-435b-b638-14ce284f48d3,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e81acd28-9705-4b66-88d4-2dea0f474de5,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33d402a6-e739-472f-bb6c-2712fa5f9058,"4/16/2021, 8:52:13.628 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c29254d-7ff5-4502-ab47-eeb2c04914cf,"4/16/2021, 8:52:13.628 AM",,,,,,, +\MEXAL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21a84cfc-1a40-4658-945b-ec33c0de4fd4,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f34acf2-cd04-4eb8-800f-7848e5c58ae6,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1688ab06-348d-460d-bd3c-77e2b889ac98,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c6ef09d-2e39-48e0-971c-215fb4113b0e,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d2ee7de-9f96-4d8d-a222-72dd16fab6c0,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1571b42d-d186-4f1f-a81f-c180ebf9d941,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17091ca3-d147-4959-a359-45d6e9a00cc7,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18a8e3ea-40e0-4e34-bbda-061323d68b9a,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2892f28-1fa8-4297-99ee-dda7f4776a50,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a1a0513-373a-4aee-8d63-10645fc08021,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a68bb98-f7ad-4c5a-9a8f-54a7beb355eb,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd98f828-6821-441b-8d5a-5cadb02ffb2f,"4/16/2021, 8:44:53.603 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f30b3e64-6787-4192-bacc-9658c3cd7e67,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a820da96-e8bf-490e-8550-7aa7caf6b804,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e988075-cf37-47ad-b5ae-b23a713a20da,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14b8b064-44af-46ee-81a4-f0eea423111c,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59c547b0-2b98-4265-bf3f-151f502e63c7,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba364b12-759d-47cd-abed-6b5ab24089e1,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3018ca53-7aaf-4c35-95a5-f88402d6984d,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b67f4e5a-e581-4933-a447-a7a757b79069,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4052a7f5-7275-444e-83d3-dd08d7d15944,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36de6c83-1d4e-4258-a3d9-a12c8738d11b,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fef1e7c2-5954-4129-bdcd-84a65d52ad4b,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,940634fa-a297-4858-9a40-cedc301cb13d,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,288bf6d9-814e-421f-8ba0-edc245ad289d,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8e8970a-7140-4eaf-a739-18981cdfb3d0,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc1941cd-a50f-439e-9912-2bff30365806,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef9579d6-3c35-4eaa-8fef-f3c6cea70767,"4/16/2021, 8:44:53.603 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5c67d01-4fa4-4937-9616-d18a9857f5b4,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83008f53-cea2-4dc4-861a-51a87c3164fe,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3dd4cbc-4bb7-4493-b6b2-2aac95e8bf2c,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\OFICINA2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c60aaf2-4a01-44fc-ba58-9ab43ee4057e,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8ec8016-3975-468e-9ce6-04ddb5dded8b,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65dac9de-adaa-4c39-b1e3-41c333789aee,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27383e32-e7a8-471f-97f5-83eec3c9f926,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf8a7e69-6f22-4769-b62f-3f9b60b01cdc,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,873cde56-577a-47a2-b521-bbe2b14cfea7,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8279260b-fb91-4709-bee8-b7267ca2b36a,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f57e3a5-d668-4dd7-a827-731e427aeea8,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcaf069f-0e47-4598-8c74-b362ccfa2784,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea1fb1aa-e4ff-463e-a670-a97b0549747b,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf896ead-9b06-49dd-be80-89b17d7696e1,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b7e62c8-5194-4bb8-81a4-162bd9fc3324,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a03cc14-a06f-4dc9-8549-30b6b9cfedc1,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8292fff8-b8a3-4930-b93a-ae4fa3b9547b,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff1a5ca1-bdb8-4d4c-a65a-7f1d3b7e56bf,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ede7b4a-af6c-4ebd-a34b-80622767cd55,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1fe0134-650f-48aa-88a0-0337c8af536d,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0968bb55-f8f5-4e1f-8a03-4e4ea976f4d7,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c041555f-1af1-4785-a1a1-21dc114f5aa6,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63214e92-c823-42d7-ab71-b911de9f1a66,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fdf5c74-7da5-4805-a3ef-32c16fcfd811,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6edc8f72-c72e-4ceb-b4db-a38803740d19,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ca26c18-9fe0-4edb-ba5b-1493b5bc8bf5,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18cfb006-bfa6-4ccc-9f8c-77b84950d7e9,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e7c887-f068-44cb-9146-fa794f084f21,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bebc747-4abe-4f23-9eed-4b5077f07302,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aa638a5-85a0-4d74-a447-40b5c823ee47,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d4634e0-e829-496c-a399-8fc08cdcedd9,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ad0c66b-03ac-41bc-a610-60f55ee4a758,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21ca82a4-f826-45f1-aa82-7f253e572ec9,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f02ff41-45fb-4784-8454-e029b240cca5,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,749a4c19-a191-4c99-81f8-47622678d455,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12cfba5-31de-4ad3-ad15-7d326e17c2c1,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d52f56a-8665-468f-b39e-dca4bf76218c,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d84b858a-04ae-4acf-90e0-10d1fd4ae658,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63d26ccd-e439-4780-8472-affc5a7a2496,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01fb5ed7-8b57-4a75-83dd-d477e2b288e6,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cb3db8e-bdac-4d3b-85be-a12268172998,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a83751a-d510-4f93-98e6-9cac1eeaa1f7,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d0c2f23-5a7b-40af-92de-4ff6c29c7e09,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66a5d82a-cabe-468c-84e1-d98eb3eb751a,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a288512e-ac9f-4955-824e-ba9fa92b9527,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,782dbb16-1bfe-4048-a276-443b6ccf0960,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b636cda-0c6e-4d71-9788-787faa921217,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f98f1358-1e2b-404a-8fb4-f8f8965a60bd,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,268b10ec-59a2-4ff4-a70f-f948e997c4cf,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89db44ec-6b2e-4fc5-b4ea-b6d67f6a0769,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f60b0963-4d4f-45fc-93af-69b54c197a96,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d509c6de-f835-4d1a-8dc7-7cf1075cd6cd,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b94278-58b1-4159-9414-2b8b09b968b9,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7e9ff25-2cfd-4721-b083-a94030eeef4e,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3dd0fd-ea80-44f1-a5dc-ec91fb5f177e,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed786152-62e6-4379-88ca-8f8bcd2889d8,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b588d49b-d620-4f8f-a250-871a0a245403,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4eeb55b-c698-40d6-9a12-5b84d1f1dc33,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d497ba6b-81c1-4638-97ba-86edf4661cea,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c584621-9fff-4822-88b5-49902ab6dee2,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9496946-9b67-4ce7-9a32-dc96df8eacfe,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03b8ebf8-d9ff-4d7d-b95e-a217c980e625,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4283a8fe-e547-469c-94cf-f737069ac46a,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b121ba0-1dfd-4a1c-97da-e686b33f03d8,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caf7c7be-62f5-416b-ae7e-f901cabcef36,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b328e6d-93f1-42ad-9aea-63111ce62d8d,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb62c657-f12a-43fa-be4c-b7eec6de01d1,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b94bb805-eafd-40b7-81cb-4b797857df7a,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1724956d-8d14-483e-847b-03c0663189e4,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92512efb-be64-4a32-a084-2a808610a39b,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b423708-27b8-40d8-a8c7-9f53d141f858,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce443974-a0f3-456c-8345-9e544f342d0e,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,940da95e-f5dc-4c03-b511-c1f97e6a4379,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ff7534-917c-41fe-a7a3-e50de6ab3e72,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa87c219-06ce-4d30-9a69-a9b524eb7494,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8aa29b0-ac26-40e9-8247-30083ba5d503,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b2279b-3acd-4fc7-ba93-7bf8e334a730,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d6cb01e7-2798-4d41-b0e4-5ccfb3d0e7c3,"4/16/2021, 8:44:56.977 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14720 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8833ec16-d37f-4899-b04a-e999c7a77b93,"4/16/2021, 8:44:56.977 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df2a17dc-aa03-43df-90ce-ed83a2f34449,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54011efd-c0ae-4503-9386-afd868ed975a,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,715a4655-c67b-49b0-b0bf-305ea655fc67,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,845b4809-428c-4cda-b56f-70701505f6d3,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1646e8e9-fe11-4ad2-9a6a-106c4d6554c9,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e2a299a-9d3f-445e-96d1-590a842ddb9d,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc727b03-4ac5-40a9-9e98-c0848dcb1a6b,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be8ef65-0f9e-4758-bbcb-f60ec8974f6d,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9e7030-ed02-45e8-b5e8-1b7e00564287,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4ec4abd-029b-4d7f-8d21-41a9518f38ed,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ac479ea-2603-42d8-bdbe-bc66d83c5bd3,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5087db4e-50a2-4040-9411-ca6221ad93e9,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e12c8e3-3e96-4cba-b548-82b364e3cf17,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e3ab209-86f5-4211-bd1f-8f26cbd60212,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4003a83b-5e59-48a2-86e3-79e50481004f,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db0b752e-e2b1-4bb0-96cb-6692ac905238,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7a4917b-59aa-499e-81ca-0449cc071167,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\KJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80f84fe-91fa-43e9-9c57-962204e54ab5,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b8544a9-c4b5-4694-a214-c2b305e33c39,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b86c5781-13af-4ee9-9f91-0e82d715543e,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,095550cf-a315-4ad3-ae44-75f7413675f0,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e06b549-8f5a-489f-8320-2417fc7ad99b,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83b3f3b9-d67f-4c52-a787-ea002b36a6b4,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf79e044-cad1-42e4-8302-1089efa897c0,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6089ba51-3c2d-4ff1-baf4-cb3bb86f8051,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98070345-557f-4cb0-8271-f5e1e24e2023,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db51637c-390e-4fcf-9f8f-cc1fd90a190b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1acf16-b982-4e27-b3eb-79d6a88ad74b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d82b39-dbac-46c5-adc6-4e5392e552f7,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13fdf972-1362-4798-b50b-48ddaad3d4a0,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e5dca03-2ef0-498c-a552-2afa8da42859,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc2f78a-7543-4a07-a91d-ca922f31018c,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944feee3-7b8a-4a2a-9588-c5bdc6885aad,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c972b090-85ab-4ffd-b8b3-7ff1ffa21d94,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9e3b1fe-4ed5-4509-930d-c0574e218bcf,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d1f7cc4-8a0b-4ddd-9fb9-17849342943b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9661426-972f-43c2-9f79-02b91f8c35cf,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8113384-26a5-4d03-bcbf-7ae36c997a6b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1528c62-c1a1-4d57-8a37-17309d683b71,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b75947d0-7c9a-4d1a-8052-3236daa8ac3b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e089d197-ec81-46bf-b663-bd27af269e81,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec1eaa12-b356-4d48-9416-484eb801644e,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48dfd5f8-2530-48b6-bbd4-c8024e24aa53,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fea1bee-56a0-4bd0-b97d-86347641e2e8,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ea22a69-61ef-426d-a917-e60593a7a026,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b414884-5bc8-4a2b-acac-7467d0e7c59c,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0432679-b12c-4782-9b2a-8ec21872a1b1,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76cae2aa-dd66-46fd-b6a6-7ba8c0855f33,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca02a87c-f372-4423-9128-262611781d8a,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,361b9d93-a787-471c-aad1-7347498ce4b4,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e50bdb09-947b-4ac5-91a1-97aeb542b66f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ef5a74e-ae3e-4d53-971f-cfabec5c5279,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9504f66-6c1c-475a-9831-3ee0bc62190f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,727bd7f9-b33f-4eef-b9f7-3e31069bc004,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1ff530e-f936-4184-bf8a-ef191622477a,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a3bc5f8-e593-42ae-b20e-9ef233605e16,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03246d89-e10d-4096-92ad-378cb7af619f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4059f254-9127-4637-8e06-d7e1982bfb64,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92017372-57a8-4ccd-a5bb-50ed348f8626,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1bee9c2-e7d9-42d0-96cb-343daeeffd60,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f64b36a-7f5d-418a-9a94-c77ffacd9c3d,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a2bf5eb-ab17-41c8-82af-b64d137557c3,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,657f5da5-529e-4f55-86a3-4c35fb755ec8,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78ec107-0db1-44e7-bcb5-c499035a754e,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be8344d6-82e3-4e3e-8944-167e540eb04c,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7f1346d-e37c-4c31-b0dd-7ea55f549974,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f97240b8-3825-4129-9251-e04dadd9d0e1,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb734fff-6df0-4ec1-8559-a4b416193b80,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,915e8904-a282-4e2e-af86-0f1fae87f22d,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95224e08-77eb-49f5-84d7-4445a03f3998,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95f9b940-3b53-43df-90e3-ff0697ad2fc7,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c77c416-a470-4fc8-af7d-30fe68c7443f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,347016ab-3d59-4324-858e-0c51c10274c3,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24382fbc-9954-4980-8be5-5497f2f5d460,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac23337a-e581-4668-8ea5-2f4b9a7ce75d,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a8dbe03-94e6-466b-9ff0-6970431597de,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c319d0e5-c964-4394-abda-79927593d667,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a768565b-04a3-469c-9266-7d88cb9ba0b0,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02502f23-662f-4b87-be6d-b593ad54ebdc,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,806d59e9-cd48-48fe-bf2a-58c3dd0c7edb,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed08e745-8956-4851-a408-f935135d7b18,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc79b209-e913-44eb-8561-383464112233,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fec4da7-40a9-4d26-bcff-4b1d1e819a8e,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99835229-dc2f-4c0e-aa17-cbe7a4a08990,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d71671b-52c9-4ac7-8123-d23ed57ea6d7,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79eefb3b-c01f-4d9b-b978-dda2eb3b2242,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62a08d99-2fda-4615-b052-4b7ac4bf7dbf,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cdb5669-8514-4feb-b30b-6808cb1a340a,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9446cbc-6352-48f1-993f-273f847d4c2f,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f98013d-238b-4149-9867-7ff060a79fae,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6899e3e-4fc0-484d-ad39-012277199a8d,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15c193cd-ea53-4bfe-aa9d-a24b3cce3e3b,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dfa2438-9492-430d-b896-52a02c62d0be,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\CRESCENT LAKE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d9160df-b7b5-48ce-a999-81292ecdef79,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a22d38a7-ab13-41df-ab48-640ce97628f8,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce49c081-cd9f-4f11-b93d-3bd6e90f675a,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0b3c1c9-fe45-4cd0-826a-218b0624abdd,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a6317d7-7fc6-4e8b-97d8-0da326ae2db5,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6420a79-bae4-4fae-9bba-1da926793893,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760fd76c-e40a-476d-a4f4-42e1da68fbf3,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b693084a-3118-465d-8b3b-ae48f2d11306,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fb09f2e-3a68-41b4-84ae-197bfb485b38,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0e2ab0c-6eec-44ef-af39-ea9f4d892da5,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57984897-6f78-47fc-bd37-ae145cac3f00,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e09d8eb4-6ae0-4ab5-ba7f-009b9ac42573,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebbc641e-de8e-471d-bca8-370dc774d889,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61764e20-7fa7-4b78-9946-23b30e861925,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae3145ba-5e9a-405d-b39f-7e119fa98ada,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a87951-62eb-457d-9695-610a79673f43,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,239cb7a4-f83f-4450-b53d-d9ec42c20487,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fc3ee46-1791-4f86-889a-967601bb4f00,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84fde3d0-9fe6-4a20-a29d-8637ec12e94a,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5be8f948-36b5-44c1-a6da-001aeaa1d3c0,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,657c164d-7184-4982-93d1-b760b4eff2c2,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129c9a1c-7547-4db9-998e-a6999799adcf,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28fb2cb8-6599-468c-b26f-a1b79f4ab510,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31959965-dc3f-4033-bb5b-84a4d08c51e1,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12c9773c-b6c7-41e6-a64e-8593a07d4a4f,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b57f80-dd05-444a-b5b1-76a702ee086c,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161073dd-2e3c-4afc-9fab-e0fcdf49c087,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01c37d29-4407-4493-9baf-ea5ff32c91b3,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53913897-ee2d-4519-9319-305e41e8fbd7,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,504b92df-fb49-4a63-8630-32429e66fcc1,"4/16/2021, 8:45:03.608 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62ddbbab-124f-4398-b492-4c29b51bf11e,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,664fa29a-b386-46ae-b7f4-a4efee31b265,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,733c1439-eccc-4c70-8a73-9dbe8ea8bb3e,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e0c1ec2-151e-4099-8105-edd6cd680fc5,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ffff210-ea37-43d6-bb48-9b20c4362ea8,"4/16/2021, 8:45:03.608 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4640817c-9072-41dd-a77f-8ca690a109d6,"4/16/2021, 8:45:03.608 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d744880e-e6fa-43b6-bca1-763518bf9cf8,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb35c70f-5569-4574-be50-30c9bf0aea3c,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa6ddbf9-f4fa-49b8-ab1e-825c631bea1a,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93759e9d-22a7-431a-a993-3a7e05be892c,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83282d82-75e0-4c93-837a-23d63baa7996,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff255b0d-2a1e-4891-9557-2af88ca27a4b,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12151c1a-0be1-4133-a444-dd1d963b38fa,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26bf3c84-b5a6-41ca-8894-15715dc3952e,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c571bb51-d1c0-47f5-8529-b02512b01ec4,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ad16798-0622-45d9-9ccf-02cb6742417f,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01e86bbd-0d5e-4037-b7d4-f4ed9b9bbbcc,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d9ad0ee-97a6-4b9d-a6a5-0de1ae3abc76,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e6d626c-aeb8-42a3-a068-b1ad0b8dbf64,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5abf2589-a926-43a4-93dd-7c5fe637f285,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7d1bd18-5742-4144-88b3-0891e1f471b5,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42423e43-9de1-4365-b068-e600f80a4594,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c6ddd16-4a23-4ee3-8472-e17f632645dc,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f3c8d42-5ecf-4a2f-8ab8-935852de9cb7,"4/16/2021, 8:45:03.608 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09a3660b-e7fc-4b78-999b-8489fc07e6a2,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d7216f64-8363-42b5-a28f-1147d4624d84,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3121b0cb-e49f-44d3-9dc1-7d92ff6fcdb6,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,07d68ce4-ccca-4928-9ff8-28e63ff042ca,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SHIR-SAP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T17:17:53Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 844424930139302 + 2272 + 812 + 0 + SHIR-SAP +",4702,4702 - A scheduled task was updated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,edd37253-8c4f-466e-865d-85de7760e52e,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,262bda18-5374-4963-905f-d2a5d950709b,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c88dac78-aac7-4a67-8973-40c31745fa90,"4/16/2021, 8:45:11.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3980 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb729171-32d3-425b-b2f0-a3fdf3cb3c56,"4/16/2021, 8:45:11.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3084 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,274e7f15-1ad9-4fe6-9788-d9c30e3a8da8,"4/16/2021, 8:45:11.416 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1d9bee70-23e5-48cc-93e0-e3597df4ee4b,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1368 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9bb1fb5-4dbe-4bb3-89d3-c668f86df426,"4/16/2021, 8:45:11.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3120 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6aae56fb-afa0-42a9-ab7c-8dd0e3a67d65,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,907566bc-563f-4129-820e-2ccc09fcd749,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cda41ce-5e72-46a0-9b40-ff0f187cbd41,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f4fecb8-915f-4a97-9871-c24ab906018a,"4/16/2021, 8:45:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6278ac7f-a0e7-4646-b8e9-adbb58e03e08,"4/16/2021, 8:45:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ab80064f-a540-41c8-ab07-b28ea257d7f9,"4/16/2021, 8:45:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5100 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,de86ba29-2256-40d8-bc42-ab51704de01b,"4/16/2021, 8:45:09.860 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,db5f603a-ec0a-4f2a-932f-076875e6bcc9,"4/16/2021, 8:45:09.860 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0d1021ca-9652-41db-bfb5-955b95d4669d,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,70912d6c-9a6e-4a97-8344-7a3e490e3156,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2ff695ae-7596-4091-b28e-2333d32494b7,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2c85b630-8167-4978-a54f-5b887109d1e1,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2702ddbb-d101-445a-a4c2-afe5ce2292cf,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,726ead25-cdb4-4697-a6a8-7d461e40f075,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ae5da5e-b579-44df-b443-08a048fff398,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae57fb10-f5d8-4ab6-8a3f-bb90c3b5f3d1,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c14336ab-f5cc-4e98-8591-43fb50500ce6,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0c75c8a1-3b13-4653-ae8f-2dbd5e1496e7,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cebedaea-5dc6-403a-b74d-4abff4cbe4c9,"4/16/2021, 8:45:16.050 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bce35cd5-4828-4fa2-a9e7-f5eeb9ea9cf0,"4/16/2021, 8:45:16.539 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5856 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cd1ad5a2-eb76-4ff6-a82c-6fbc1f32e5d0,"4/16/2021, 8:45:16.539 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,df1cc295-e086-4ae3-8a81-02e5b73a0a9e,"4/16/2021, 8:45:16.539 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ca2ca9e-1432-4d26-af40-5a5fe7adf040,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f46d156b-18c8-4511-bf8a-f9771cb981e0,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6619cb55-b795-42ed-bd51-fd5c39dac75a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ae6b4a5-ab20-4e2e-8563-4c8011f5a598,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c2e4419-6e58-4bed-a1f5-0fa204e96b04,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48e4686e-b8c9-4db8-a65e-a6aeca5f12bc,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3da65007-6cdb-4321-b9a2-2b9781d396fb,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a4d09cf-da62-400c-9f07-3190ded76456,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee44bffd-0081-461e-9f72-8fef512d0604,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d8c329-e0de-4401-a270-37d7b9484d7d,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13184430-aabe-4356-b065-c6aa27e91937,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d214991c-262a-4c32-b417-fae66be58d7d,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2783d7e1-17b7-492d-87c2-9dc9f47bdaa3,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a6acda4-3e13-43dc-81d0-8853dd4ce799,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f125b8e9-44ab-48c7-b271-986cfbb57f01,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12886984-d9d8-43c8-9053-3fe751be5d73,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da8fac08-e1d1-4386-a7f8-69bbdd487fb1,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67502fce-1224-471a-a45c-b5d8297d042a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b36cd61d-000b-48b9-8be9-b4edc1a7225f,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c9b3bc5-efc2-4f25-ae8a-7dc04289978a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b24d1d7e-0537-481d-bf1d-a758bb66c67a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e0100e4-e606-4592-902a-af22cf6075b6,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a61b1f92-2b29-471f-a92c-7af81967147e,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f75c82a-ba7d-4594-8731-f5f5ac5c3f47,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d07df1d-2329-4213-89e8-eff84f015731,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7de96a43-e600-4a2c-ba2c-17b55e654815,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2745c73-da65-476a-9f53-07da59dfda3c,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59f06446-b350-4b00-a484-ebab364ee204,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04e32b57-8c32-4596-b035-c692ac73fe32,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\ALEXANDER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01a9f43a-cf70-4856-8bef-0338496e6f0c,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,662fd875-20e8-4706-983b-6fb6ce45a5bf,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,811da4b8-a34b-4932-a351-e224dae21bdd,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\OVV,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3054780b-21f3-426b-b6cf-593de7a8f9b1,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be72eaa5-b023-413b-b8a1-7a0395bf6f61,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,414e9a69-88e7-4d61-a203-9cfe586403ff,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3350246-d0e8-4bd7-9afd-b9e5e76bb440,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cc9e3a0-a828-4bf1-87af-5d2ff993150a,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb77d10e-56c8-42e0-96b5-fcb949c7d408,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcd3c586-6dea-47aa-b4ec-2f96a69822a3,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07819dc-d665-4aef-b990-cff43106c207,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a0f461-f390-47b5-aca1-58bc840754b2,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0afecaa3-292b-421c-9311-48fa49c80271,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df9a037a-c2ca-4291-b78b-37610dd91945,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38722ae9-dd64-4990-8883-3dba801f86d2,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c13a82ba-3b83-4465-8026-1f22d4a20a9c,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e86e440c-8df2-4087-9d63-ccf63c49a5d0,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8d556216-1ff3-4eaa-abe2-de1ea17fe79e,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6954d489-8659-4e88-a0d3-d684956f11bc,"4/16/2021, 8:52:23.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,179e19cc-05c8-4a33-96b5-e815a7ab9346,"4/16/2021, 8:52:23.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6312 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7e500d66-2dcd-4ccc-9b3e-63dfc7a33c6c,"4/16/2021, 8:52:23.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6028 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b865fee3-2e57-4601-91b6-8be8280323a0,"4/16/2021, 8:52:23.410 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83197e2d-7b43-4422-b77e-829769b7ff83,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ccb7787-4af7-49d2-87dc-32fd29657add,"4/16/2021, 8:52:23.410 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d521abb2-5199-4144-a020-fef4bb08798e,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bf3701d-18df-421c-b90e-b8ca8818f7eb,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12ff8cdf-5499-4c8b-8317-76aa27c64aa4,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c205f4-8c43-47e4-a046-9e9f5087765e,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc1d5e7c-6a88-4399-88a3-96459f7a98f2,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f0124c6-334a-4daa-932a-314398d9e466,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5a9e23-710d-4a79-b99d-17aa55a04640,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ae60fb4-e5ca-4385-8f4b-8e876127ad57,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,943fb451-296c-4a9b-8aa8-dfb0eb6b72a8,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,272a7b00-b0f5-4cdd-aec6-4a066c0fc8b6,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ac31834-c31f-42b6-9934-451d490a54a9,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf46cfb2-63fb-4bf3-8cdc-dbdb84a888a3,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b577f3-b809-4660-9f28-24b0619b73bd,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd2e27da-8956-46bb-a34e-8054c98b66a7,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7cb0265-a498-479f-b723-3535a4fdafa6,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3474bdbe-27ea-47a2-ad45-0a8c2ac097a5,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,227b145d-2a31-480c-86ea-8b95e60b1275,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf2e7a8-c0f8-423a-801e-072bfd7afab0,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b127d0cf-9e09-44bd-8da0-77b3024b17d3,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a818acf-3378-465a-b4c0-2dae8463e2a5,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b1d41fe-14b7-4682-a272-615a14ab0fc0,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76022a3a-a1d7-413a-8120-14c1681c04e1,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dfea27e-1837-4918-9746-0f3c52d2b39b,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d08d7a6-8b32-4644-a236-28a974d4e57e,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94ceb7e2-adf9-450d-9048-2aed83b19410,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ea86e9b-2c33-4908-811a-b4ede2081eb0,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8705d126-f352-4f06-8991-e061052cfda4,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71fbb1d5-8281-4907-a42a-52ea1896f544,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,730da0d6-6d32-4c41-a973-c81b3d9fa098,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4b0acd4-4dfb-49ea-a8a3-8bc5ce47b966,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af7450a5-056f-415b-94d8-a97e98228965,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc9eaa7e-4d5e-4b86-b76e-3b9c0023c425,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ad82e01-106a-4f2d-9dc4-5b3e401ab70f,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee221fb5-0522-4a6a-9bd5-a20ae70a28d2,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38e41c33-f4a2-4651-b32d-3039de1198e6,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d28ce86-a765-4e0e-947c-f63f40c7b1e0,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,524726b0-5bb6-4b10-b3ff-f8b51ac19086,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21eda717-1ac3-4b70-88ed-9869ec55f665,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56350baa-5011-436f-b4e1-f853094078e5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2e87876-164e-4ba7-ac2c-810f5a44a1e5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,818c54f7-5913-4fb3-b75a-ead08688eaa9,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98c8a408-42db-4582-b348-50118de456f5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d1a6cc0-c12c-456e-b286-8bbfe2d9f663,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e59e2d31-9ff2-4cfa-9a2c-44b88f00f6b5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,791b50d2-46b2-4b99-86dc-19aca3eb655a,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd3b2b79-eefb-4c2a-ae55-3fbf6d70dc1a,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b87dae7-ebdf-4300-85ab-401820c6f22d,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cd46206-6f01-447b-ba51-b86cef184141,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,646e350e-7b4c-4472-bd5d-a3444a81b44b,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e38489c-8a84-4e8e-82a5-d377edc31eb9,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26de61a-cf9d-460f-8b6e-d7f2d3a2a607,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd1260c0-69fe-41af-bcc3-2acb7ee6e2d2,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda4ea99-7bd6-41d1-ab55-756cdc1bac50,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef28401-397f-408a-ad59-4bd395c679ed,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fda9406-9f8f-438b-aa23-2c027b9ee906,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f819b98-2d07-4562-ac62-365e31be0a7f,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4761418-739c-4910-81db-4fde9ebd3243,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a715943f-12aa-4660-8609-071dd01901ef,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87cfd260-e28a-4e2d-8b29-09532f6d7429,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d856f509-37f5-4822-8fe5-41432ce2a17b,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cc6a69b-270f-4233-b5c9-5cf548ec4817,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26dc8d7c-8070-4f4c-bb60-ee7b5e6776e0,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77683db7-be0d-4b17-aa6a-3e8a717e9722,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5d22489-de29-47a9-b38b-4ae4d8fd3b7a,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82cbe37-a4ae-4f94-acfe-84eeff873d70,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec3e9997-1c21-4ef2-9f4e-2328964b1cc9,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed8cd57-8077-4931-b148-6e95263b96d0,"4/16/2021, 8:45:20.104 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a400c52-8bd5-4b7b-a26a-9c1c355ea10e,"4/16/2021, 8:45:20.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3a86575-aca1-4fd9-9113-12003de53ab9,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5652 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,82015ed7-811a-4ee0-92f6-8f06274fac54,"4/16/2021, 8:45:20.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f85b5711-f15c-48ab-98ab-9bf120d689af,"4/16/2021, 8:45:20.104 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfcc3e97-29d5-4ab8-87cb-3a3a87165512,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a4a7dc9-890d-47ba-aed8-0c486b849dc5,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72f8dc4d-2a04-493e-8b46-07aac0b03689,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63d742af-d34e-4740-b66d-8f70ffa19dd5,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46a9043f-7961-40c0-ac4a-f04e81b3a5c2,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bbcaac1-46d9-4a7f-8d51-1d6f38f18135,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0e72d46-6ba3-4699-9cca-42003e7e6442,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cfe2b5c-5be1-4b60-b248-1ff5c1a11a42,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75a647d8-0c0b-4af7-8ca4-903ced996d97,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b0ca36e-89db-4fcc-92e2-778c09b925c5,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e1951b5-8a57-44b6-896e-e623e199a80d,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1beca6b9-1d70-4210-aae1-4c8edac723d1,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f12b249e-2dc3-478c-874d-868861e04d12,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9eb664c-866d-4752-ba33-6dfb0b6a7e5c,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,224cfa2b-90b3-4e22-9525-777a8f02c582,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00b765cc-6830-4f4e-a4a1-ab5f29b31c9d,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,103b192a-c1bb-4a7a-aeb9-5bf501007bd4,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75dcfe2e-9516-46f7-beb8-89a0b9a2c8c8,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,350e933e-89b7-4fe2-b19d-b5613bf373ed,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b5522a7-9d03-4ed5-b8ae-1d553f781ac7,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61dcd31c-f9c1-4e03-b832-f4010c1dab10,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0f583cf-60e3-4063-ada5-711920795929,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1d8d7fd-aa1e-4b00-8d2e-2b74736df5bd,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ac53d8-3fd3-4915-b1f6-3e2c3bd23b1e,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecde94c0-b78e-4d03-8822-07d617f27f1c,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c167b0-d9cc-429f-abdc-5273d8dfeca3,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,297c4b50-0bba-4dd5-ae25-51635f1f572f,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63395c1a-5625-45c9-a306-204d72a7994f,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f8a404-b203-430b-a328-d1e5b8007cdd,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed08aa18-105f-4a50-9d13-ff4d3d74ee2b,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db6ac1a6-751b-4c13-b4dc-063b3cefacc1,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,712cee39-d451-48cc-a836-7e039b010e3e,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2ce04b9-7ba3-44eb-aa88-0efa9b26613a,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a34c2377-0a7b-4042-a94b-11f39960cbb8,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdf126df-5847-43e3-9b6b-7de2ec5088aa,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,682cb234-903e-4d5a-a38d-239fd1c40d58,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05322e43-7f7c-48b0-a473-2b01a6cd1577,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9afb797-8c03-4aa2-a8e2-21a50d08c7dd,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6528ba14-8d12-4042-9653-3033205f5bba,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ec515e8-3594-49a3-b51e-5f0bc7e425e7,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb5380f5-f814-42af-b241-784ecc0418ed,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\UNA77,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa75a19b-a16d-4441-ac42-8756561e972f,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b2108b-a8ee-4da8-a17b-7a6be20b0e22,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,214b28ec-64fb-4dfe-9424-4686b1fd7007,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,201a9163-c626-4d07-9390-125605b65e03,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7e46c48e-dd76-4a45-b3d9-087868d710f3,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fceca01f-4420-477a-a516-0572462f3f80,"4/16/2021, 8:45:32.869 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x2415668d + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0b5c3b36-c46d-478e-a143-fc30ae9a079a,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5728522d-5c9a-45a6-b54b-6f58f83fd8d7,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5fdb2a01-33a6-411b-80d3-221fae68fe89,"4/16/2021, 8:45:32.869 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f15cbce-ecbb-4ed7-8fa8-9523979d08ec,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2a8c330a-9250-43bb-b1a0-61aff7fd03c4,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5272 + 70 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSEIR.EXE + 32 + 3B36E67E5EBE93E1709041FF64102DC50FC2C820671221C97DFA601D808E95A3 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSEIR.EXE\10.7740.18362.1411 + 0x3e7 + 72 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c15cf2d0-fc61-41d2-9026-fa091d63a6f0,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4356 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e5 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f8547bd-85e7-4b9f-91c4-1ccff8a7c5fa,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10268 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6f0814dd-468d-4cde-b498-423b8615d90b,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a2cb9d73-5008-4e7d-a392-84b58bd80041,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,44835932-945e-4c60-af12-b7c1509c79a6,"4/16/2021, 8:45:32.869 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efc26cc9-ddda-428d-a8c5-1be17bd0d409,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd50c992-cd5a-4d24-8e2a-9cf0e4753190,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55e8431b-146c-4cc9-97b3-830fa4f1c93f,"4/16/2021, 8:45:34.615 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5fe436d-90d0-461f-bb73-65e7f42a567f,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06771e3e-5916-442a-a6ef-06531606596c,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8652933c-1431-4344-9259-041afd4e7d12,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82210c62-f444-4d63-9d01-51323250b2f8,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37c57c29-d964-4c9b-a336-9a056fda21a8,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fb7df08-a3f2-4168-b3a2-8eb8d84134fd,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b2ec295-e8f0-4833-954e-a7d5c45ad049,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c38e6e6a-62e3-4921-9e6d-c5c83f5ceb12,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,050c40a3-8f42-4a3d-a9c8-2af9762441ce,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d684556-5ea8-4c51-9ef8-195845bd8594,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,915c123b-396b-4dfe-94e6-12a47aaab5b6,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30638fdd-5811-47c5-b404-fc5b169b9fba,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb915bc-1f81-4741-9379-8186f12e6131,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb5bd14a-198b-4459-90d0-9ae3fae04673,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f33446f-97de-453c-83b3-797b204971f3,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff2f6c3f-8ef8-4c9a-9bd4-656a19247a15,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,700ed3f0-ed7c-4a46-bab7-449b418976db,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e310ff5-d157-486c-a855-56cde001282e,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29ee13e0-41ec-4f8f-ad83-62ac8fa4efee,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,e27b6654-3ac1-4275-ace8-f9480d3a4d11,"4/16/2021, 8:52:24.757 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,2bd6544a-cc48-4f27-ab5d-dc981058e2cf,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,edf592de-d2d3-4388-aff1-2a7383771928,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,68176ac1-524f-4e62-8218-6b94c9013503,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,59977b0a-50c7-48c8-b1a5-7457391afba2,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2176 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + A68F28B7A6B48B6CD6CAB57C5C6411BCF3A6186B4FC6823F03D9F2A8828CFD02 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.18362.1016 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d828db1e-f1f9-49c2-90f9-5f30629ec542,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7228 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.18362.1497_NONE_16F5D4B32A2EF7C6\TIWORKER.EXE + 32 + BC24C913F9E2EED11FE1DD49061E0D4286CF68A1A36EC6CE4CF89FA5002E105D + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.18362.1497 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1497_none_16f5d4b32a2ef7c6\TiWorker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6d0a9120-e699-44ba-aa1b-3bdad6a44999,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Andrew + VictimPc + S-1-5-21-1778951011-109519560-3417497144-1030 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,db778e17-0b6f-41be-809a-37b039de57c0,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,fd49cdfe-ba19-4d9c-a182-5d351ad5e01a,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-503 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,d394bcca-5057-4a8e-a48d-7a8587e286e0,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPc + S-1-5-21-1778951011-109519560-3417497144-501 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,05d10cac-8f3e-4272-b373-f608e6a87449,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-504 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,723513db-749a-4e98-8808-514cf775e1da,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc342a67-e880-4831-b0a3-4a2c9f483cb0,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5d8c570-63e3-45d1-9ed1-d9c93ba0d296,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cbf3d23b-c9f0-4bf9-b8af-0ba9fb34cee3,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7260 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,11d91d5b-468b-4bea-bf16-0860841e07a9,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c2b9f3d5-a746-4617-93a0-0346e0710bc1,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,ca495b8d-0fbf-43ea-8655-eb1ccb2f512e,"4/16/2021, 8:52:24.757 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,46615fd9-e730-421a-8385-bdbb3a266e44,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,a140c5e4-0974-4f64-85d5-e12242f0f665,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f4b11b5e-225b-45d6-811d-dd20cd5ee54b,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,58b387f7-3437-4753-96dc-f4c36049388f,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4c209b89-e7b3-4109-9b62-d7b49d240022,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b54cb90-303a-4ed7-b80b-d448e8083e1d,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c8ab2c6-98ef-49d8-a5ff-d7e8d17bc5b7,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,df4b2098-7cf6-4ff8-bd2e-f0078fd88713,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6060c39f-9909-48f7-b8ae-e3a9dc49e377,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,51b58a25-589b-4c2a-b592-b5c38bd70e3e,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4108 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ac5289e-fb6b-4f70-b31d-2316ca017a22,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1100 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4c265ef1-4056-4841-bfae-86711a33ba31,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e6f52d0-79bb-4585-a327-14ec670bc89f,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d3b7ae36-b101-4d10-ab0d-5a47f12add2d,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e4e0d36-febf-44a4-b5e9-6dee6b8ad8ad,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b56c2e09-b964-4216-8b60-860c2631768f,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8de588df-3253-4da1-84be-762808f0e497,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8834515e-4b87-4bec-841d-15e8a33f5a14,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3f0c4a7b-52f7-4cb3-82e2-370092b8287e,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0a98e45-2c12-4648-927e-8404fb25dd21,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3ca063e4-e5f6-478a-a2bc-624323784d2a,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae81a231-698b-4d4d-b20b-4f8b23d1fc44,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ce15bac-bde5-4067-9535-9b12e4ba9fd1,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d884c800-b4b4-4c66-b991-6bf57bba62f1,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,23ec98bc-6742-4cac-9c0c-5a72c35c8d39,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0fb8940b-c775-47c5-9b2e-3f16903e0d0a,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e78d7eb-b381-4474-b869-f65de9ebbda8,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,97c0720d-2b31-4bd4-82de-81d62372ae48,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b7ec9b8c-c636-41cd-b19a-5d3651a6c20d,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a7a0aa5-4522-4063-9a1f-2e3fdb98011d,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,cfa31b96-3250-4704-a9d6-b448de883bc8,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f962982-87b7-487b-8ef8-981620e6592a,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,278b0c88-6cb6-4c50-ac75-3902cffe2a6e,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1b17e29-d846-4ed9-9d12-c70ba98ae17e,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,187ef168-0f56-481a-bb4f-fafad54e0c7d,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62d56613-13fb-4e51-8a2e-8e4663700c57,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6b49c16-cd22-4787-a45b-00832ae836d1,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2083a5a7-3b54-4d43-84e8-9a075f23d0f4,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7892e76-cbe3-4190-b98e-d6e1763ee755,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebd6026b-04ef-4465-9f7b-b02165311adb,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0340f57-296e-45b0-a3e1-cb622df6e06c,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\TJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74473b98-cf6d-45f9-9757-731715a9ad2e,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ed4d847-9109-4b96-8e80-c6947b175b30,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\ODA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ffa1011-b1fa-4be7-8404-61094dcfc4b7,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f2ea494-1a22-4f93-ac37-74dac5286fc1,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,404804cb-648c-4037-a71f-12227b2fda56,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2708d238-d6f6-4d1b-853f-02f93f0fe550,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d026719c-27b8-4688-832a-616ea039c237,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3e288fb-48ef-4fc7-adc6-6bf4407d2e57,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a556e8e-7e71-4219-b6c0-fcdfaea86502,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef2adaa7-48f9-450f-b609-6f3ff4c0abe4,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e3e9c05-2d1a-4ec4-9ea5-a9591e981a7c,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc1b5ab-7eec-4d11-83cd-1292d4588bc5,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd369bc1-6e0c-44e6-ace0-306a5143d0e8,"4/16/2021, 8:55:53.647 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f659bf4f-6efc-40e8-8e45-2072463cea54,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,347d2434-bc60-4e75-af74-636a1f65c8bc,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc84a7d1-9ac8-47d2-a953-b2e1b9f9f714,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4007b1e-f5af-40d1-b2fb-e037def4dde4,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c77b770-1939-40a6-8f3c-caef001c61ae,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d94e9b28-36e8-41ca-9942-9287350dd4b9,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0788c8f3-9311-457b-a56f-48a393e60437,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0558e721-1a21-48f3-8027-bca17b5617db,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97f98f7f-e41f-4cad-a57f-b3cc18689d0d,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a77c4806-4cb6-4090-a0d6-e860eaecf489,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,1119f8db-ceb9-45f3-8731-ae0cbce5442c,"4/16/2021, 9:03:36.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66363f64-0078-4c7b-87e6-c7f399a73108,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e039840-1d96-4651-9739-36cee816320f,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e74b88f2-1d4c-457b-8040-425f7b2771f2,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e25a639-9c4d-40af-b307-aeb80671a831,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d00eeea8-141d-46bd-b4b6-fa44907df3e1,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7670f47-f2bd-4aef-949c-032bcfdb1eaa,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d3e5b3-7168-4482-860f-2bc142e710b8,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66cb2056-3b65-488c-a3df-52d5d7b40524,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ROOT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ba7ae8-2cb5-4b99-a99b-4f3269a76a08,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e563f6bd-46fe-42cf-a932-582444507c01,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe774a37-400c-4809-b149-d9bec91e4bd9,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b1b66f-7c61-4914-8dc9-35f1e7c2ba21,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bcd006f-c7e7-4487-a8ae-7d78a9c97762,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e459528-dcd2-441c-8066-ec0294355c95,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b0dea74-a9f5-4870-96cf-33292e47e20f,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b885617d-7cbc-4c62-adfa-14ff6b26ad33,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08e44a4d-d84e-428f-980f-fac213e6af65,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e75f9933-f542-4d07-937d-77ae5bbcfb7a,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caf43a96-7560-453a-8920-4a73bdf3f043,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fd3119c-7ac5-4dc8-a99a-839c9f2cfbc6,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc3da7ed-ea09-4728-b804-f7ff9ac8faca,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e334416-53bd-4031-908b-419115a8d0ab,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bbbef99-4feb-4340-827a-d756d25c2e7a,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,2a04984e-5dcb-47e0-a900-a1f15022a06a,"4/16/2021, 8:45:37.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b850b8-1e49-4a2f-a9ec-4e1608723e98,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b44edee5-9f58-444c-9a04-18c79fb2394f,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a7af621-278a-4395-b161-2eecad67b744,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\MANAGER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0581f177-9923-423b-8677-55031023e1c4,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb35c66f-baa9-48c7-b4d9-4697c819b937,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c475df-e8aa-4da4-b525-895fb607140e,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4013c140-6f3b-4b26-94ce-403636b31437,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81c40e54-cad2-4571-87bb-7e57486afffe,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08d239c4-ef42-4604-8749-b1568f80f51d,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5fce39-a6c0-4d12-9b2a-8975aecb1eee,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bc4ddb0-0b17-488d-935d-c0d51adcb014,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,791274ea-d391-4c3a-b0d6-e457cebeaa33,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa249ee7-caa8-4f66-9742-618aaa56117b,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16dcd2fb-7320-4f14-aedd-2a5a2e6c2fa1,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\CRESCENT BEACH,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17b6d377-6838-4d7b-9de4-f5c86d07fef3,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab25b8b4-1416-4671-a162-9212009a8da1,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2514227d-5298-49c3-aaea-486e65431c87,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21a8291f-a779-402a-9bed-aa23253e4353,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9f6660c-3c3b-4e4b-b269-25e50765a0b2,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b628b4b-1d14-4b4e-80f6-32dd6e970889,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebce8944-af4a-4f8b-8a63-4f15d01016ad,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbc483b0-991d-40e7-8cfe-6c36119ff022,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10e95ca9-eda8-4e09-ba93-df683c5f18fb,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97557fd-88d1-4941-94d9-5dc3b164d141,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2e79283-78d1-4830-b759-0156d629fd10,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc2ec251-779e-4e01-90c2-fe4ee5e96649,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a05790f-d871-44d1-85e6-fa51827039b9,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bf3448c-2fe7-4b02-ac9b-a24b200d6fb7,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46eb2d5c-4b07-4444-85bc-9a9d97276225,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a571e3-be8c-408b-b28b-b7ec2ebf2d44,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a05746d-f0f5-41a5-9ebd-f8b0fcf19b1b,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c477c50c-009b-41df-b461-2efa35da3c22,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b53b0ee4-d302-4568-a6e4-fcbdb14867e8,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ef9c3cd-2ec4-4c93-a08c-c0bd0e986cfd,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b24bf71f-1249-4539-b70b-e3b50790c099,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3192ce8-e00e-421c-90ce-720a495fef27,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,447ced85-94ed-452f-9d7f-bdb0c00cab4d,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4620d41c-41a0-412a-8b08-abaeab214ede,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db7d378-0c3c-4a1b-99f9-92fff21fab72,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\FJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a52c0c-aef7-41fd-8db4-05de1ab09711,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d23a0b7-9769-4caf-98b7-1e86b6219b24,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f74a835-599c-4e81-b45a-21d6eb50d4e7,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb4ed938-5211-4379-b9b3-ebc97fc1732d,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fe9b18f-acdf-498f-90fe-d14ad878caef,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4254b71-5e4e-49b5-bfa9-d44696b2f41a,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97f9e53a-9f92-4355-9507-031152a2f843,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0999a554-71dc-4a91-bb8a-8dac32d0626c,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0746502-73dd-4bc6-96dd-c82fba402639,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8789dac2-3b17-453d-b62f-e5664f92c88f,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2d145e2-f2eb-46a4-98be-d0cfa835919a,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a6c765f-ef50-4e27-92c3-c92a95aee548,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c694b67e-3d17-481d-b482-8fef97df2b1a,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fbd7d5d-6955-4177-bdb7-449f2d64b86f,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23d30728-a260-483c-ab64-379ef6ee13c3,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40129e46-3a59-463d-9ed7-9463813be76f,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e650c8e0-5d56-4849-b5bf-4a7193c77522,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d66ad51a-5ac3-482e-b6cc-6e80b5a6d940,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1baea92-1c9b-44f3-b509-4bdd5a1a13a5,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7dc3de1-e283-498d-9ed4-4ebab355d77e,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d513e58-654c-440d-ba4f-496663252446,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6749dcf-4a2f-491f-9dd2-7317a2ea2992,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dcce33f-6402-4e4b-a46e-dce9b06bbe4d,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad301d8c-fbcb-4266-aa33-2843a484c7ea,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\PC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a312db9-3054-44d4-afaa-604dfc516e85,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04992a09-8c9b-4a1d-b8b9-ab2c056bb77e,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be73bb7a-0659-4e6e-ae5c-c7f0c9b93ae2,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,081e8ba2-9274-41c9-bc47-f22145749500,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e7bed15-ecc6-48fd-bd63-002bffa539b4,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c78801e9-c869-4d25-99c4-d17e1b0d4251,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82cb51c3-e734-46d8-b3ac-5876d0d046bc,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca9b7373-f1a6-44c9-852c-9e16072cbe08,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ad60b8-ae3e-4136-b06f-235938f327c3,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a940dccf-37be-4299-bb0f-364aee7e3a4e,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cbd9a9e-12c6-4123-8bcf-071747bc9cf1,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01629912-fa30-4471-834e-d82f167af48c,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04db212c-5dcb-4afe-b9df-e10288a4f0f8,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e53f2b2c-15e5-44c6-a260-18e1ca6b6120,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc068bc6-d1ac-4832-b70c-db9e9713ab97,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4ab10e0-9d67-4138-8699-303ecd9d65c4,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96ea5dbb-1661-4ff1-9b10-2d704a4b6dc9,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b7036ee-3a1a-4e34-ba69-807d170836e0,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de568837-c4a5-486e-af99-5dcc362b635d,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49ffdd8e-1610-49e5-ae60-56c4663f43ba,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,952f5ffb-77fb-49fe-bd79-3cf1b8d7c050,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,054a48df-7fba-42c4-9d16-b862af4a2d8c,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c481db70-f576-4e21-bbe2-c21636db8df1,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,152872e0-183e-405c-a6de-a1afa37e88c8,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f409f3f-22ee-4fb5-ae03-219b64186781,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10d43f09-c18c-4374-8901-0460c615299a,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d23eca0a-734e-4490-8abe-0c8b086bd9d2,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ee2c546-ee4c-4ed3-8746-23e1a8e6acfe,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,83b2da25-6400-4b95-96f7-0716c111e650,"4/16/2021, 8:52:42.989 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12204 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1471ff57-c828-4c3b-8f29-50ee31246ffd,"4/16/2021, 8:52:42.989 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,206c65b7-bda6-4166-a236-f8ec55ca2f08,"4/16/2021, 8:52:42.989 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,35fe29fb-9739-4630-a54e-34e3b749add9,"4/16/2021, 8:52:42.989 AM","%%5649 ",0x2,-,-,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b8e0fe-f87b-4b3a-b803-15e119be649f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e57a916-9733-43d4-9fad-b03f62c60af5,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6572cfff-747e-40b0-849b-2ce0c6b1b047,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3462f54b-62ed-4962-b9b8-1bebde7011fb,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1311d5c-d6c7-4300-bdb7-9b8336d34763,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86334fd9-4db2-438b-ae1b-721a1ac530e7,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a33b46-f585-4926-8ff1-3f4542971dfe,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467b33f8-e333-4f0c-a39d-a5912420227f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f1f2d2-3acb-4377-8eab-6d3a90a7bf59,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4893f8c7-bb5d-43c4-8f98-7ac44ab54488,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df5017f-6a5e-49d9-93fc-658b1216ac1a,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add226be-1f59-4fa6-a722-d12e0a83ea21,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbe6f05-4482-4e77-92f3-e33f359440b6,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c40056-dfff-4a4f-a371-ce6ec4aad934,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1c9df25-e5c4-4b9a-9075-43da885aed1f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3efe5ab2-e60d-4c6a-a800-0539de63b72b,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14b68048-c72c-4e97-8bdf-d347cd09970e,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d79e4156-5480-4270-8af6-7632f268974b,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4606433f-939b-4a22-a873-f10f95cba320,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f52e7f75-44ed-4b29-9feb-585cefb64baa,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ee5430-5809-4e01-81cd-e71aaed4c716,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9852cef3-4738-447d-bf7a-501adcb9c03f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,76afc70d-156d-4a45-aee6-80e590082e70,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9284 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5ea46f48-73fc-4a8b-92bc-a475e3abeac0,"4/16/2021, 8:45:47.541 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a5a2a1ab-b5b2-4c02-acf9-93ec8ac701a1,"4/16/2021, 8:45:47.541 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a2bbf9d8-e5f8-4157-a971-3e633e5ba3b5,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3256 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bda10e26-ac00-4d63-ad49-aaedbd5f824c,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6792 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,42dc0c83-a1f2-4ee8-a3ac-70fa9bee1a7f,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7372 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a2251656-fadb-48ee-8ca7-7c78fff4078c,"4/16/2021, 8:45:49.263 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,80be981f-6ce5-4068-940c-7f9cf17d7573,"4/16/2021, 8:45:49.263 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4052 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e6109c39-3645-442f-bd40-cbf96f8bdcd7,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 13984 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,145905f3-668b-41a9-a23d-452302738604,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9676 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,38f1520e-cefe-4b8f-8345-a6be998a615a,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8012 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,fb606d6d-577d-4b08-b143-00c1fbe84c0d,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15156 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8ecf6918-6799-4ab8-a549-32dcbdc967a0,"4/16/2021, 8:45:45.988 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e912796c-bf96-48cd-8e64-0d435ecd349e,"4/16/2021, 8:45:48.413 AM",,,,,,, +\WPSERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e5f63330-05ae-4a56-bc01-b1611ad4ed89,"4/16/2021, 8:45:48.413 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cfe7e223-01e6-4f2a-8c55-b02bd7bf001e,"4/16/2021, 8:45:48.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96fd52c-993f-4f4f-8699-95a1b4c37b63,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d775854-7c70-402b-9701-eef3d1655e3c,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b78b4b5-8764-4829-8200-388b81aa46d6,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0c79b10-b20b-4c8a-8146-210a25ec7da5,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1f7fcba-8bd3-4d33-a559-c6f1982b3681,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4b9498c-e7ee-4d6f-883f-714d2ead0e3a,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b802ffee-fa85-4f74-9b13-2500fb2ddbef,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca8b9d0-82c5-4aa6-88be-f1ad0bc7b66a,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9764ca4-57e9-4d3d-96ad-b734e48af329,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6721b97c-3911-490f-b097-8f121d8b03a0,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\AJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d94d24e1-1077-40b8-9904-bd27180a6eae,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50377523-691d-407f-bb8b-66be2fffc4e3,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e07e902-ecde-44eb-b48f-1315238e6756,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ff5cfa-bd8d-40a2-a319-12c0a0557b57,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cb044d7-540c-4f79-b198-fd742281d193,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,595d8254-ba89-4901-89a0-2ed911835800,"4/16/2021, 8:45:48.106 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,898e485d-eba8-477c-959a-edec93baa055,"4/16/2021, 8:45:48.106 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f298a93-ebdb-4cb4-bdd8-abd5bfc4a101,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb31019-a992-47a5-89f9-50b5a7580efb,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17c02572-502d-4fcb-9cb8-f7752d2a645f,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\DB2ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2c0960f-7ada-47a2-85b8-fdb93d620ce9,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7296 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0620507-a67d-4ee8-91d7-b9cc642cdce0,"4/16/2021, 8:45:48.106 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 3236 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d8411d-e765-40f0-91e4-905ab8f45823,"4/16/2021, 8:45:48.106 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,761f5a80-97d9-46db-afec-c72871d509bc,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5c87a6f-fe30-46b9-a40f-35a81dbaf15a,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98ba4375-81e2-4f85-bcbb-d5adae7a9cbb,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfcff4ef-da64-4f4c-ab67-d7101bf935b9,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f11af98e-1010-4ddf-b2d6-fe8c8a2d5d50,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60a0de14-beaf-49d0-b834-b5b0c4baebab,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2be7c12a-ccc9-43bd-b78f-de53d80643aa,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57f6b48b-3199-4aa0-8946-4ff153b71b22,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5c4d343-ea51-400e-bbb8-4a7f20e833a5,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a7dfe01-80fc-4cc2-916c-b9c7e27b72e2,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1a66d53-c467-4d3d-b00a-b02a3c239464,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a479b564-7a00-46bd-a2e5-32a310f8732b,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa500497-a8cc-4f97-9b13-99073b47cc34,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07f6c168-edf8-4ee5-ae29-d5367a0ba679,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3156614-ac9e-4f43-88c4-03dd327d8212,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bbad5f5-c615-4234-986e-d9d2c48654a5,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0c8389-bee0-4ba7-8d83-b1dff163531a,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\ASDFGHJKL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4528c352-bad0-436c-bcb4-3ab968465c10,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7100e15c-327b-4d0e-8086-bb1c30621aa8,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36447924-8640-4db3-aa93-4b16f7c5be6b,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99e10179-50b9-4b97-be2a-a26091f4f5bf,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1391ca-d06f-4edc-b521-00f3576122e1,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4804 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fe089730-b63e-47a7-8c98-ffd54806f805,"4/16/2021, 8:45:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,665c2d68-7b7c-4941-8e36-061b070c6e28,"4/16/2021, 8:45:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5f9e5e9-7334-47b0-b314-d6cc231d9138,"4/16/2021, 8:45:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af0e84e4-3a2d-4c6c-8655-49d3178945d0,"4/16/2021, 8:45:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,03205a3c-03ec-42d6-b123-cc0455ea956c,"4/16/2021, 8:45:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9f0f560e-fc9e-4496-ba1f-e55a22407e85,"4/16/2021, 8:45:52.740 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37e7aaa0-e52f-45da-9698-d4ab76de7072,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad4b249-e27c-4833-8ab5-24fad57f317c,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00157d83-b5e7-4957-b07a-5895d2a7ac4f,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,420b85e4-1fc8-4b32-a306-ea823893a47a,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee48da5-58a2-4560-85c9-f16ab21bdf5c,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc587214-c2d2-4bc0-828b-af7f3ed48b7c,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3c22109-e6b6-4013-8c86-ccea95740a85,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abfe136c-bd24-497d-a4d8-ffb0670cc003,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a509fd-7301-47fb-86db-75d3eab31f9a,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8c43423-47e6-44b3-b8a6-c5938a2963f2,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e583995-af0c-412c-8dec-78111378b9f2,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19b6761c-ddc0-497d-ae6d-67061d9556c3,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68c4a633-1119-42b5-a6ff-0fb1437da9b7,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3572a0-f46a-4acf-8c74-8e38a891a6af,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83ca274d-4f3d-451e-ad31-3748a498f44a,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9461954-ecbb-4261-9107-08a09cd6e311,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24a205ce-0c79-44ba-aedb-4d386e126580,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9da0c954-ca08-4d00-bd3c-e24b140b9ce7,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88172891-6710-4ea7-ab63-fc85f437f2f9,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\GJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30e72185-e575-48d5-954c-586076f558ea,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52249cc9-4950-42b5-91ff-da8fdf9f2e00,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eb6d051-f2cd-4ed3-ad84-56fd1f65e6d8,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b150fe-1291-47d1-a45d-41e74bf0b95f,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2ae1453-7b26-446a-a34f-ec7c1babc575,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\DESTER4,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,835b02b2-357b-4d99-876d-b0792101f03f,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,003b91a8-1035-4167-b33a-32a29a1a75a8,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f45e13c2-4642-4d3e-8fe0-07e7d7bba1c5,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,aab129b1-040c-475f-9564-ddc9aa55b2b1,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7cc2a24a-cde2-4d2f-8a9d-c342f196a821,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f4ba7c95-fed1-44cf-b029-49ba0b32325b,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8770b7e4-c4c9-4ba7-a714-42bcd88d5ccd,"4/16/2021, 8:52:43.056 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,90a1fa11-83ba-4048-a4ea-5c468a5b1a10,"4/16/2021, 8:52:43.056 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,d235d386-43ce-482e-9f25-a0a0a2f53962,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,38830a11-1a20-4f2b-bed2-4672c7582750,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8b38 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,18f712c9-7a3f-4306-b28f-635838308213,"4/16/2021, 8:52:43.056 AM",,,,,,0x8b38, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8b38 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,fdc7f754-0917-4e1a-a4d4-3fc6e739066c,"4/16/2021, 8:52:43.056 AM",,,,,,0x8b38, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,433e3edd-0e3c-4e27-b177-b21e80e60d5a,"4/16/2021, 8:52:43.056 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,e08bd6ec-7655-466c-91ea-630b5d7d5bb7,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,80bf6681-bdb7-4d5f-afce-2d1fd5480731,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9a2ddd43-f04f-475c-87af-e16d96fe595a,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14dab4de-d87d-4bf4-9d78-eca8a5471f9d,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,953cf42c-783d-428f-978b-399afe999ab9,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d9ca1f85-b0f4-4f59-be1e-495dc9723778,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e8faca51-1d93-4444-ac22-c8e197c24225,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a664b868-240c-43c9-b409-af37fa91c56d,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e91b6120-5bbd-40b3-989f-3b0852666715,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cdfe8d5d-8a56-417f-88f5-b895642238ec,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f00527e2-68e3-4502-a48a-d0fdb997d969,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2dbadda6-faf3-40bc-af5a-d7a1e9a270d9,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7fcb58e3-3238-425a-b7c6-5dac161a8d79,"4/16/2021, 8:45:53.049 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a1a42297-fb54-40f0-896a-a2fdca6e504d,"4/16/2021, 8:45:53.049 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,338c0acd-dfd4-482e-8a7e-c46e259674e2,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9ec137f-eabe-4390-a6bd-15bd66ba2097,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9db26bb9-168e-4904-97e9-046d773c4c34,"4/16/2021, 8:45:53.049 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19127c18-7ab8-4d0e-9c3a-feeeb4f4f1cc,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f9ae0d3-2419-4f32-8475-1a45a053b913,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9ca9f64-d6ae-4516-a2b5-a6309c15f4d5,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4600367-b6b9-4387-9e89-f1044fe84105,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12251f3f-539f-4e42-840f-c3b752c15817,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b2ce75-b0e1-4cc7-82ea-fb3e3f6fb124,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eb40f55-cfe2-4861-b921-0c0faa93a4ac,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa152e48-4896-4568-b4a2-d7e654e5523d,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1026115-262a-4176-a6c4-10d28091ef84,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ba8771-412b-4868-8c76-2cd85f72d21f,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ec8a24-b74d-4758-8828-d41944b3327c,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aacffba-bf41-4556-8cc2-03622d26bc02,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a9dd356-9c05-486b-af82-4f1aa77f21d5,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0358a8-1bbf-4d88-98d1-e18c5486f89c,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,317637a2-a8d7-442c-bb0f-df4dffd3970f,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10d559bf-7ade-4008-bb7d-34f91adf4fab,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21e92c24-80ab-43bf-a112-9e242e327129,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b18f3003-307c-475a-ae25-ad341166c157,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dbe2684-3a77-41cc-a8e4-5e7262c908c7,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af498e9a-4bea-44e8-9f23-22aa8dbd78b7,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec4224f-21ec-4257-87a4-1505587422b5,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d5cd482-17fb-4582-b519-8b30fef394bc,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90af74d3-8527-4071-8640-bd38755e6901,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f9858e-082a-4e21-b34d-abe0b4f38c33,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ee042e-04e3-4fd7-bfbb-15ae983d2d3c,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e165ee3-8840-4270-a159-b341cbe3a92e,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c856c6f-fa60-426e-beaf-7386d76bef39,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9dc4988-eaad-4f01-bbca-099ee53dcfd2,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40bb598e-cc69-42fe-a3eb-64b2d16ccc2d,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb72abf6-043e-4e73-9d11-ac9afee519a5,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35b2f3f8-59ec-49b2-8dfa-57f5614b3189,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1d3dc5a-8509-461f-8126-3ba3f8bd291a,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a655afd2-7588-44e5-abc5-6fd9e10028ac,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dc3cbcb-b583-41df-9669-bebb23bdf726,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fda5229-3ed3-495b-9520-bf91e5265b8f,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81825af5-f75c-40b5-8f73-3b1ef8782d1d,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6f6523d-ca6a-4557-b086-0930fbce4965,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14fb157a-2c29-4426-bd1f-b65ee1cf984c,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a990ff6-162b-41f9-8900-64ff7ceb9dba,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cc4d3b6-d540-4901-aa56-cc9b92d2307a,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c1ecbfa-eaba-438d-81bd-e357122fdd09,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7359f734-f6a9-494b-9f84-d8edd65f9579,"4/16/2021, 8:45:55.621 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c7a03e9-17bf-4330-baa8-956046393759,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6385376-0b0b-4356-abec-092d955c16f4,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcc37155-c701-44ab-82ab-281b21bef351,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34e03f36-93ff-4613-bcb7-387a28bb6996,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb4cee16-6b75-4577-b747-5406b83e017d,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6531a5f-340f-4cc6-b5fe-19e416a87c7c,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d18ed982-f824-4c92-8484-d23eea04c2c0,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18060173-23d2-44d3-8a2f-3a35d8b3ab74,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74a150b9-148c-4a44-975b-fb54af9993c2,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b9eb789-1d19-4b32-bf6c-5f708c0111e9,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2783c8d4-4040-44f8-bb36-e52b0cde790d,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44cf3196-7e54-49f5-bea4-54e2f47bba01,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,384f0390-d1ed-4c28-907f-7108df9bbf46,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c038dda3-d440-4255-9564-677e616ab6a8,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,280c9d64-00aa-41b2-9c36-e1957137c4b1,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b445fbc-4363-4107-ba6a-89a9acaec7e2,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba9251a7-4349-4919-960b-3c8791d7b7f3,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,933f0488-d27b-4c7e-9fce-b36240bd38d2,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8007002d-af95-4886-82cd-7152eba57b3f,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8607d0f-6140-4058-befe-88e674f66be9,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc079d84-09ad-4585-b0de-cb799c888470,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c52ce30a-4600-46a0-ac31-a4584548a849,"4/16/2021, 8:46:06.618 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6762a8d6-99ee-4c03-9571-df6618152dbd,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c66680fb-0e2c-487a-95cf-3b5ec34cdc76,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1e65597-1e0b-42af-a913-4b888b611c89,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9193448f-3bdb-44ae-a254-d075aa502551,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,882616ad-6a96-46d1-ae8b-f30050b3aa05,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61ab71b2-1da8-4b38-8fcf-7e3e9283ed6e,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8dfb22e0-6823-439c-9ac5-9d5456e77a4e,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,422d43e9-3930-4621-b76d-c0bc9e57e230,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d47ef60-29d5-4883-af37-24e1cc624086,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,ab3e0cf9-7384-4a4b-a142-c7b71079db4f,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,58069854-473f-4fee-98e4-deb8049e8a0d,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,931e2408-73db-4332-94d2-f2b33e8d18d4,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1328 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ac9ed78-cd9e-4796-8b97-e39d0872b027,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9872 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d8aa1f48-efcd-43e5-9be8-ba63b02df814,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,37fd7ce6-2802-45b8-89ff-9eab8dc87483,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3596 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9366b463-3df8-4dbc-8e98-507da6238d75,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9824 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ef9b1886-6fb8-4213-a1d5-1f17b5af874d,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4516 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,92cf682c-ad3d-46ae-a42d-67354bab7c4f,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e48f98bd-3980-44d8-bc99-dd09b1225790,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,beeb3403-6b2e-4c8c-ae59-d6010a46d785,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,af204e11-a680-4e19-bd5d-8f9fada7f090,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9752 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7aa7359-0820-4261-ac43-99d1d1791022,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6200 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c0c7238b-3f62-4c04-85a3-ff3b29f6ca6a,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fdc8350e-7847-4275-ad01-008de8ad2229,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 3932 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,46159227-8f49-4a80-8514-9af3f87386e7,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9212 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a5fa41d2-7ffc-4f7a-a848-4c8d761c6c4f,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5564 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,03e45852-f7c5-4b6c-a564-caf295a4f96d,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6536 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + FF7B647787C49A3CB19B63470B8958B6FB6162AA4EC4B03E78AE1F6AE1ECFBF3 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.14393.3564 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1c3e0899-3768-4566-9f5e-2b5e7e16ee0a,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11004 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.14393.3622_NONE_7EE8048822057142\TIWORKER.EXE + 32 + 5529E1D5191D7E786D8395381584628F04EAB2687886D41DC981B6AD056305F3 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.14393.3622 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cbb8c2c6-3074-4637-8281-0836abfd17fe,"4/16/2021, 9:03:49.416 AM",,,,,,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 10908 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5bc96799-ed3d-4420-9d82-0950a2a8ac61,"4/16/2021, 9:03:49.416 AM",,,,,,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 12680 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3f504cff-16fe-4412-8cc8-8e906ac2153d,"4/16/2021, 9:03:49.416 AM",,,,,,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86a330b4-926c-447e-b0cd-c47d30ab1d95,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1d78e01-0bdd-4a4d-8e9c-019f44af0b6d,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06cb34a6-fec9-4187-895f-dedff14ed663,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d71dc8da-e7e7-47ec-87bd-1139eb026f55,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f40d658-8bd2-4c8a-8325-a01b7f5a4c9c,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41f91438-184c-455b-8064-741e68a016b6,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d61c5ef8-3793-4bfd-a3ba-0e43af0123b4,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab785161-22d3-4462-824c-f621bff922e1,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7a67e4f-d9d6-4dbb-9c51-5385df46d515,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,953af1ec-b246-4f3f-87e8-e878ce15c4de,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b9e30a-b865-4221-a686-c69a051f19fc,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c98f957-b3d1-4dee-bc5f-23c7f8283064,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3498265-56f0-4c00-8fa5-12997278bb74,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41e01990-ea88-490d-8cc8-b03b9ef2af34,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7af06a6-6c33-4eb7-8e36-e862f0b54493,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41e690b8-9738-4989-9afd-6041c1fcfff2,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,342da179-0242-4b81-9965-85b8e8058cad,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,469005d1-37e1-4d1d-9644-a9f2a4a4e2f2,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2044a7f0-d0e1-4fdb-8772-023bfc10db10,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac3d64d3-401f-4b2f-8c3f-489496262a40,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7a8d883-362f-40db-9794-6f7b34dd7e95,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,531374be-02c6-425c-9908-439655d26ca5,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1c00cb6-8d0a-411e-bf97-26e96f26e2f9,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a5aa128-014d-4594-a1e4-4d69002ec85a,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91fe9cba-a943-4498-97f7-c12c337cf170,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4274c696-b765-480f-927e-988cf299ff99,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb61df0-d9bc-4d8a-9f72-027e64f84975,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d6d2a45-959a-4893-a24e-f668334a91e0,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ef428f7-7b27-47ff-9104-e106249d44e1,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a7157c4-2ed5-49d2-ac06-b0f17b8b81a7,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa3f456-d28b-454d-9a8d-d0b853ae6591,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf6c72e8-242a-4f8e-aecd-75ed2a83a23a,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b017687-2baf-4bc7-bdec-d9a5eed6c9b0,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e60eae-b77b-4c77-896d-b0387866148d,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc015a07-d3e8-44d5-9fa4-0088b275257f,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c257304e-1145-43ef-95cb-170a404482fe,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8e57a21-deb1-4e21-a317-5ae1278437b6,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f2634c-b179-4532-a26e-ef2232aecbb4,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d4c88b8-0e45-415d-8526-beb6d822ef06,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f999fdf-43d5-46bd-8c66-ae57539a874d,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd9276f6-fee8-4467-b2bc-1735a11b4ba0,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd91dd8a-32fa-4be9-bf48-c75c24ef617e,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,930cd4f3-8713-425d-aca3-5c164691adeb,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d87a93c-15ba-4dd6-a798-9fc4f8f1da3e,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,109455fb-5ab3-4021-b33b-306f41d3c377,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec18fcc1-c2c2-4abd-b069-91642d3efa6b,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d3a4f51-ac84-448e-96ee-e4fc1af7d010,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,311199f5-802b-494f-89bc-183bf5d81b44,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,92cf05cd-acff-422c-98b0-e243e47b3dd5,"4/16/2021, 8:46:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,01d0f49c-f98b-424a-843a-66cea34c8967,"4/16/2021, 8:46:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6640 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d083414-c888-4c78-bf88-87ec33406abe,"4/16/2021, 8:46:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4956 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,56ab36f0-d14a-43e6-9bfd-16e41b039a82,"4/16/2021, 8:46:09.860 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f3781f89-22aa-4414-b285-0265787dff08,"4/16/2021, 8:46:09.860 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3c6a4091-3a56-475b-8101-9e566c116d46,"4/16/2021, 8:46:12.868 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3461322d-94b0-4e35-9e55-2d6723c21908,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 8944 + 23 + %SYSTEM32%\GPUPDATE.EXE + 32 + 4E2D85458A3020FD0DBFC227C5779B02C4E80437A5BAD96766B0FAC8D955615C + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\GPUPDATE.EXE\10.0.18362.1139 + 0x3e4 + 32 + C:\windows\system32\gpupdate.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,516f5020-e088-4091-a0bf-eba5c8c5c122,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 11900 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e4 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,65e7508e-6a06-4d59-94c8-cab0729c5c0b,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 15060 + 53 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE + 32 + 86AC160930EC07CC4F9998073167D40A5E5A6486CD3430EE0F9837DCD0A73CD4 + 100 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CSC.EXE\4.8.3752.00 + 0x3e5 + 55 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a187982e-2ac7-4fed-8303-ea8b289875eb,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,eb56e0f3-aa90-4ccc-a913-b65a71a20846,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,19e83219-5bf1-4ef3-b97d-36978ae88582,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,34533559-d511-4dd0-9fee-e0aba510d04e,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6636 + 56 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CVTRES.EXE + 32 + 9DED0B484DAB4C855638FF211AA738AB5ACFE45E12331060A363F0FC33FA365C + 106 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CVTRES.EXE\14.10.25028.00 + 0x3e5 + 58 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,be83126c-c86f-452c-b582-aa30774efbf5,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8072 + 53 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE + 32 + 86AC160930EC07CC4F9998073167D40A5E5A6486CD3430EE0F9837DCD0A73CD4 + 100 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CSC.EXE\4.8.3752.00 + 0x3e5 + 55 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6b8dc5c2-cf25-422f-bef7-3336a0b05f14,"4/16/2021, 8:46:12.868 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20bc288b-b018-45c5-bff3-d3964e0b5a64,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\OVC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84edee9c-7b9f-47cf-a605-262b2142cbe1,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5340348-b27b-4deb-bd3f-84a59f0060f6,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0ffde17-befb-4293-93ba-be38594fdd18,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5bbdd85-f128-454c-af3b-2d7a43bc96ab,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf786db9-cd43-4ec0-bdf7-6958471611a8,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\WPSERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1082cc71-a748-440c-bf02-e287fd09d385,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2eb0e826-89a1-436b-a26f-bb24c5ce07f9,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e118b5ea-74c8-4f9b-a684-171ecd9065d5,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96b79c3e-40af-4aab-9572-915f86043799,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36420470-3d87-46cf-820b-7848c355b32f,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f78547e-cf15-43d3-99a2-2ff66fee7300,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cec0771-6110-4bb1-9d81-06da29e9108c,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,468c58bb-b832-441a-99f6-2600fec2953d,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bdd5d14-4a98-40f7-84f4-3f32ee32e7eb,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53c6c53e-6919-406f-98e7-1be477d32798,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8533f19-bbb1-43d2-b8f5-40e3e4164113,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e701f77-05e9-404a-a7c0-8b43ca2a70e7,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15e8ce0f-a193-45c5-a7e1-76f04ba99495,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80b621e2-16eb-4deb-89ec-476f67b72500,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f90d890-6c16-44c2-9829-9246a1e6d774,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d041adc-8682-47c9-9cc9-1ca5e4953b24,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99425a26-5ceb-4f28-8f9f-7df42b8aa748,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd66353e-1117-4b09-a7c8-ba5a28296f90,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7576abc7-bc20-4f2d-b3d1-9d4f33cfb245,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fe7f94e-dc99-449f-aae6-ab7a2bdb9618,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,601b24af-2de2-4dba-821f-f728e47d23ab,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d4e5e4e-473d-4270-b615-7fa78e9b2e64,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c822d31e-4208-469a-811d-0ff433e1e950,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b4eefc-7fcd-463e-98c7-5d7cce7ecc7f,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddaca78e-69d4-4d7d-9660-29bdfc27551f,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a43b626-666a-4c1b-9eb6-46b0f4e5a526,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,565b9f1e-6a87-4d3d-97b3-843a5196d0d8,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b0e9fb2-b673-4f65-8e9f-9a56476e9ad7,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5548da-1021-4e83-98f4-9da091b4a20e,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0401b32e-63d6-48b2-b1cb-5afbeee39fd7,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80163434-72a6-4a72-aaab-a8f9b711c8b4,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64c6762f-35e1-4294-9d25-71914b4350b1,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0356b9ae-d2b2-41f1-8e9d-3b41b2848df7,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b57646-6a8e-487f-928f-24acd57d4e98,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00a9caaf-ea06-4d23-ad75-9f1608537e9c,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa41118-c410-4832-81d3-69489aabb674,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51988c98-88c4-419a-872c-343bee000d9d,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af726e4f-b860-4941-8050-bc31b45f55cb,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1525b2cc-c114-456f-9ec4-c8db60ee825b,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13d4779b-05df-4d74-9aa1-c61b6f80cc43,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38754537-4089-40ff-82ed-d34390cb713e,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2ff47d4-6840-4450-8b53-f245a0ce7535,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a59e25d9-d82a-41ce-94ce-42a84791ab09,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cc75295-9dc9-4cf4-aafb-2839ab624192,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f76082f2-a638-4a26-bbda-c264aab0e519,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f11a89e-33a4-4639-9e91-66c8278471ed,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5efd0709-3c95-4a07-b7a2-08a6cb3a479c,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5f037d3-e7c7-4935-a402-43ba1a8ba452,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec0d6a76-9303-4f74-a483-e6dee4707180,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d472a76d-e0e1-4946-b833-d4f95e66db78,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50326f89-c0ff-4537-9c44-b391da5a6365,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70d9e9f2-5f93-410a-993a-5c62b1bb82e9,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e1f55bd-3172-4d89-adb5-dc6ce0da6d0a,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05facc0c-6839-4102-b8e3-dc10d9305541,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f0e529b-6080-4cd3-9061-3072302b7a80,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebcb510f-773c-4ee8-8ade-9b8f518c6988,"4/16/2021, 9:04:08.680 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa30aaaa-3e2e-4328-a941-ac8d40de5b5f,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1426d4ba-8e44-411d-b303-2e56c20f4678,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d44c6dcd-43e1-4a03-b641-1ede21a85cdb,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78e79fbd-a2c9-4478-8d80-c06d42153613,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c0cfe54-e2a0-4c20-8773-25c1b428577f,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81eabfd1-ab24-4f50-bebe-0ae0e96f6ed6,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0a538e9-e3a8-49a4-b048-a6ab241be870,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ba1cbd4-f3a7-460d-bf3f-d9ddca31bd3c,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-503 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9eb77083-022e-436a-99ff-802adf16e810,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-501 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f611a9d4-1b0e-4075-ba30-1b678b47157a,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c82062dc-279c-430a-b15d-37ba31e55705,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-504 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c30caf6-f5e9-4fec-be50-fe05e8bd8737,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9746e2eb-30ee-4681-8123-5cc034ba5308,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65d98bf9-6856-46ba-9c91-f87b8f62b7b4,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,549e70ff-85e0-48c4-9741-4ff2b79fcf01,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00cb31e4-eea3-449c-96dc-2b83bb4105f2,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3baf03e0-2f08-4181-b5b6-a07ae149abd6,"4/16/2021, 9:04:08.680 AM",,,,,,0x0, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3f94bdd7-bec1-4608-994f-7fa53c6db57a,"4/16/2021, 8:52:52.737 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cce0ef6f-26c3-4b34-a694-ff2b429b473e,"4/16/2021, 8:52:52.737 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,230fdb74-cbfd-4a03-97dd-8cbf5379a11b,"4/16/2021, 8:52:52.737 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,900d35b6-602f-4779-9b8d-c34f71375fff,"4/16/2021, 8:52:52.737 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b22ee61d-b048-47eb-b406-c427a33de5f6,"4/16/2021, 8:52:52.737 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,706c9064-fde0-4fe7-a248-f6eddaf0ecc8,"4/16/2021, 8:52:52.737 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ecd913-66eb-40aa-82ca-e8ef1555f8e8,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,905f1df6-6bd4-4a39-b1ff-ccb146f8582d,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60be912b-f1c3-43e1-8ea5-68c4f1e9c569,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\MULETTO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80f2cb9-7bb5-480f-b54b-46ce64c5a69f,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,899f8e94-47cc-4655-8c64-777b90d66c77,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26f0786e-bee8-4f87-8647-c13886678a78,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f92920-0ff7-4e34-9f48-5e65eb8fd577,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e65797-82b7-433d-853a-7ab6d4626deb,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c810c6e9-89fb-407b-8239-fd8c7ff0520a,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d645b626-d120-4c62-8e93-7edadf52e084,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a364bacb-04a9-4223-a2e4-86e1197641bd,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8dd3522-7bb1-4eed-9865-d39372262ec5,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c4e3eca-8666-4e40-b074-666db06231b4,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb90f5a-ace8-4d2a-9492-3093d91c4e0e,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eeb1f6e0-ed87-4b74-96f7-e6070baa6a26,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a7965c-bfd3-4991-9369-80eabc305fde,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f55b8f26-ed15-4ccf-adc4-160f6132dce4,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,584247e8-ce14-481f-96ac-c02126e8e600,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0238e029-14dd-4500-b8e0-b1c4d39306e4,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6baef184-762e-47f1-bd5a-b05af84ea0eb,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3167fe54-babc-4927-9eb2-3a42d54b5d7d,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0105625a-4a0e-4e49-943b-2d6dd6f4f23c,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b6eb1bd-2751-4e7d-8d9a-3d076dd3193f,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d3b0fe7-da9f-455c-ba5f-b9fb379d696e,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74a09fc5-6931-4577-8d0a-14f6407fec2a,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39f0eb4f-20fe-4eda-b168-4b546e76bc31,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ACC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60bd466e-c7a3-4e7c-abed-54237082b85e,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,302e4d66-5403-4eba-859c-aa409fa97090,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0ad49d6-8a9e-42d1-a09f-55a87ba78d26,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,597a0102-17aa-4145-a11d-b77dc9696cca,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4acdfc4e-815c-4da9-94f1-9005204717a3,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dd6f971-899b-4211-ad11-a4e7964ef7ca,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2537d9eb-92ad-466c-b7c0-ea5bb8ac2b0a,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3651feb5-8ced-4524-a101-ebf904d25229,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3041eb53-0000-4e60-83d3-d37d31cd14fa,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2923c18b-0ddf-484d-af8b-7e1b1769b237,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af079ae7-4f79-4a69-95e9-b258fb47e37f,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3aa8511b-ff6e-4086-b2bd-f7434f91f28d,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fefb8996-b0ba-406f-b5df-435ed435ebbc,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb1b26af-7182-4635-96f7-b463362fcb3e,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c25f1e1-152a-4147-ad9c-e107935ce28f,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,034ba8bd-0ec0-4207-a736-6376b485b887,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce89e299-c64c-4168-a824-bd35f025a34b,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57bc96b6-ae16-4356-bf64-425b630fe3c4,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34526a17-c6df-40f8-bdd0-f785438fa9d8,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b5e0ec6-1d23-455e-aca8-6f729b7843bb,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62c8b990-9808-4ac1-b61d-65a2ad71359d,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27816f96-a51a-45d7-8e5b-346fcbefc520,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,571ecec7-4dec-4c68-a59e-09f1e24c407d,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,55d07552-9cbf-4160-99d6-07ad42a8461c,"4/16/2021, 8:46:18.920 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,32bbdfc2-4e20-4077-b6e3-7ddfa3fc13ad,"4/16/2021, 8:46:18.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6876 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ec2d657-346c-468d-923b-813338f99f4f,"4/16/2021, 8:46:18.920 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10548 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e3da754f-9af4-4bda-90fc-2c9f68cea745,"4/16/2021, 8:46:18.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5280 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a527daf4-1e51-4301-a4e8-cd11e5b799d7,"4/16/2021, 8:46:18.815 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba76bd50-d5b1-41f8-97f7-7b0fca5ef5a3,"4/16/2021, 8:46:18.815 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,d4d1044d-29fa-445b-ac01-29a04f05aae7,"4/16/2021, 8:46:18.815 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,acda2c8e-98b9-4f3d-8e3c-160c3abcd296,"4/16/2021, 8:46:18.815 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7028 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb725146-8d92-46b9-ae0b-2990a4634353,"4/16/2021, 8:46:18.815 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,41bdcd29-f112-4506-bf95-4b6ac06b5db9,"4/16/2021, 8:46:18.815 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c6c27074-0484-4fb1-bda2-1f2d70e4ea32,"4/16/2021, 8:46:18.815 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a857e68-07e0-44da-9ce3-b6a36d414caf,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,337942b8-e3f6-47e3-876c-f64ca3c40421,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c71ddba-1af4-4eca-ad85-dd049d3e83a6,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,859f732b-11d6-4642-ba6f-88fba8869147,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4b7ec39-7e69-4059-ace1-48d60ba42e79,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72169514-f9d4-40d7-8327-fc58f50bac37,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a704aad9-575c-4f08-ac00-2f462715059a,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdd0fec6-fa95-43b6-bede-6552c7830eb2,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,797ac411-2269-4691-b276-f635b566a335,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,878680bc-e47d-4a7a-bf7b-6a0fbc087586,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,857fa38b-8b69-419e-bade-bbf9496eb2a2,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae31d485-15a5-4d76-97a1-d7e8e040b9d3,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,877fa24b-bc7c-433f-9004-c73934393c8b,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2deeb11-0739-4368-aa28-ca5072640971,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e3a3c4f-f9ea-43b4-a350-aa7dec7ce8c4,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b970d58-2cee-4a95-af7a-6e76aae19d6b,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b05b1600-65c5-4760-80d3-6fc7bab94814,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87e43168-8e0c-4405-86d4-60b8caddb122,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,688a9993-40f4-4380-94e6-fb973df75bb3,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a3796d7-e99b-40e9-a004-1a06ec39d0d2,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8617b1c3-393d-4a86-aab7-68b4ed9dde9a,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f668295-f45a-4f51-89c0-2241760152f9,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fa1b7b0-cd0c-44c8-9ca1-dfd0718e306e,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ac81e9f3-9e67-4b90-8fa2-f8027d1cdee9,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fd046fef-9f84-4b2b-9f3b-39fa8e958e48,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d18498e6-9656-4add-b4cb-a252cf76839d,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c983c5f5-601a-49e5-9a8d-7153f68ed4a6,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,35d30f99-9cc8-4c56-84a0-6ac06f8887cd,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5d7e9917-8b1a-43a6-bb58-6534c4650e2a,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fbb11d53-4afd-45b8-ac99-5e5bfa64dcab,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,49f27d4b-ff51-45e2-a169-af034d1bda31,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ac05673a-0f01-42ae-8d91-c094b622c712,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c3a73a32-d7a8-4271-af69-e854790d3734,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b6c21afd-c6b0-49c4-8cae-d67ee6063b18,"4/16/2021, 8:46:24.052 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9d7648bc-a656-41d0-aad1-fe9a585a1627,"4/16/2021, 8:52:58.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7af53679-e772-4eb0-8edc-3c3cc5645b60,"4/16/2021, 8:52:58.587 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,81d36ec5-4a60-4fc8-bf4c-d7d4fcbe7334,"4/16/2021, 8:52:58.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3224 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,31457aeb-1936-4399-8380-9bb8c2a1a81f,"4/16/2021, 9:04:12.241 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a34f5be9-d2d3-4dac-a585-7d39087ac04f,"4/16/2021, 9:04:12.241 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,628d115d-b49e-4e80-8dfd-bd56e34ebbce,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bbc8402-47c5-41d0-8ae4-9570dc17713f,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08243fa8-d1e1-4a30-a448-b7cf9a7d18c8,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba9cae2-7d27-4f1a-9be2-55366dad6b76,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d41f05c-6935-498c-b39f-f61858bc9365,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5772de35-2919-4516-84b5-baa32cfb7d78,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,420576e1-0bd2-4a80-9094-4d1413d4d00c,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0d3dc10-c1c8-43f9-9887-8cf4cb2dec41,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a46622-bdc4-4e4d-9524-fca7850333ab,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9d9e6bb-9d10-4146-bb3c-8b006b283b6c,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b97e5b80-c3c4-4a34-b057-696289ab44f5,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec2e75d4-9a7b-4c19-ab78-3067057a3af9,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36bf9831-8a20-4b12-ab29-a80f83989bcc,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8313006c-132f-4e34-9fe4-787bcdd648cf,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ba4d25f-b316-450f-9a66-397e393931e4,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,058dbcdb-3ab7-41ca-8b83-827924835738,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b3f09b-0770-43c4-a7a6-3aa8503692a2,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc39ef2d-dc81-478c-8fb5-3776026df166,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f89c01-3318-4f9e-bbd3-6ff71c774a7b,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34dae2f0-a8bf-49cf-95b3-b060551e1b7c,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,544b4b63-7c03-4174-99cc-28ac61950922,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c0f8a63a-a160-49b8-8d3f-e1c6def6ca32,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e34ddbef-d60b-4f86-817d-55dfcf5b56f8,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e9799440-0510-478d-ab0b-7e2870eee295,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,782721b7-45d0-49f9-97bd-3742ab4ae9da,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b47b713d-cee1-402d-b57c-828ba53efeb5,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c0234516-d31e-4953-9c2d-b999616bdd7c,"4/16/2021, 8:56:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,38401673-711d-43d8-8036-d63a5b4fa27a,"4/16/2021, 8:56:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,50ab5e6b-367c-487b-9903-68b9a06b07c2,"4/16/2021, 8:56:43.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6750a66c-0336-41e9-a8fd-b9080da2366f,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd12588b-f365-4210-b3e9-bedd98c5153d,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7517bb-c57d-4058-9b93-fac0185c2b9e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e984beed-5cff-4994-944e-1d784c2d59b5,"4/16/2021, 8:46:27.105 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddf9518-7b6f-4e4b-ac7e-b427bbd5461b,"4/16/2021, 8:46:27.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcd9c00c-5fbc-4da4-b367-fb03c74767ce,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4020 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f4ca4e0-8909-4cec-bea2-62c9033dc3a5,"4/16/2021, 8:46:27.105 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f43ce84-0ee1-4e9b-bfc5-48a90bc4666e,"4/16/2021, 8:46:27.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115d9ea5-0964-415a-9a46-5f1fe779bd39,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b41068-fdf6-4c4f-b0ad-bd40f32d8056,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d488fcba-1279-41ae-b497-906c2cbac01e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c0ff5e9-407c-4161-b119-8bfeab1b053e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f784011-2397-4145-8ea9-e04aa028834a,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a378153-e805-495c-a340-16a9ef58a892,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6810edd-4728-4ce8-ba55-af5adeefa49e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b732eddf-3414-415e-82b4-0d78526549df,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db0febdf-cfe2-492b-bb6c-01fccdc74210,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb78902e-459f-4303-8a71-5449f8624710,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d18515f0-5a17-4833-824a-b8d00b5bcc77,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0629886d-1987-43b5-91a2-ad9ead7107f4,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,112b014a-2648-4ef0-a4ef-02de98f074ce,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36944be6-bfe4-486b-b41c-456e25dc2fbd,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,629e5ae2-bc5a-4c77-a1d6-7810eeeb85e3,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbf0ae89-fc9d-4dc3-b0d5-651ef1202e6a,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f78508e-fdda-4802-92a3-6f61ced5f8a1,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02129a66-b2eb-450e-804f-3365eb3364ab,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e1cd294-031e-4bc7-801c-9696bd2ce453,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52fe8bbc-5888-45c7-b2a8-6540749630f4,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd541eb9-28ff-49d6-a013-c2bc18830dc3,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f1c912c-ce66-4f15-9ef9-7908b67e0a22,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcbc98c9-28c0-49ca-a934-1344c6c77463,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e29429cc-6271-443c-b4ac-7a5311d34531,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b1dc493-1f30-4f6b-a45b-d2689ca0041d,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59c44338-d7d5-4f0a-bac4-16276be31446,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0d703ce-6434-4ad6-baea-ba6fb4815e84,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c87a04f-3838-448e-bddd-083bb05b93a6,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89c9c20e-aad3-4e0e-9962-6e9e20003c54,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71b553c6-e6e7-4ff1-a838-6f568da5d565,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,3556a71a-e145-41ac-b8fa-31cecc6f9a6a,"4/16/2021, 8:46:34.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfaf5379-b642-46e1-8746-c7c21392c019,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30e1de66-3504-4f89-be97-647cecc65673,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63a2c5e3-583a-4607-9faf-6a58b8f4f61e,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d517748-79e3-41df-bbc2-8d4868fd18ec,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,975e35e1-c9ac-476a-96b8-677e4932dbe1,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48d89956-d4cc-454f-bab4-13d10363b78c,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310c154c-a9fa-413a-9bda-aba2084bd38b,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06f4a847-29e9-429b-9bff-c98c28334461,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb25147-f14d-4e48-899e-fc670427cf1a,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5744e340-c70c-4f10-a569-d47ebd0b0afe,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,16a04c8d-358b-4d8d-b5e9-ddba0208cde1,"4/16/2021, 8:53:02.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e179f012-17af-45e3-b4cd-113aedf47a74,"4/16/2021, 8:53:02.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3ab6ac3d-f052-488b-8add-55546191f0da,"4/16/2021, 8:53:02.410 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,877656bb-c85f-4e13-8563-9513477c04a4,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fa1212a-0e77-4d5c-bd7b-c64ad8c2c8c1,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86d1db40-50ef-40fd-ab2a-d17556ba8cfc,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cb4d86c-d556-4074-a208-c250832570ae,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3562544-5ddb-4ec9-b003-79e99e5a25d1,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2deb80a-c366-4177-a0be-f38907a863c7,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,323c4553-08a1-4dfe-8841-832abd06a96a,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f54777c0-c7b8-4c2c-9676-3021b440fd45,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1bd6394-df1b-4a67-a331-468bddd475ff,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d55e738-2e33-44e5-a52a-95d43f18e51f,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b21891ab-51b7-4f08-a9f3-58e147c5ea25,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c66adb36-b018-4173-a816-46e686d2f688,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be73856a-c10c-4b6b-acbb-90ad625ff90c,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1384f7bc-ff3d-4886-8732-c042e66f270a,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3599879-c862-45bb-b117-2789a4d14da6,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa77f962-9f0d-497b-96e5-a034ee7e6a69,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b699dcf2-4e58-468f-9f37-4a8847b50a09,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e05dc979-6999-419f-9e8c-1fb5b63fc3de,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0728ad73-c7ce-4ad1-a11f-9985b93e6c4f,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53a42bd4-8969-452e-9771-516bd1494347,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e750c14-01be-4173-879e-7ed872910763,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60e589f5-86a7-45fe-81ba-81c1ab421bb6,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbd4949e-53f9-4322-8780-acde79eb9591,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4521f6bc-abbc-4724-ad59-c99bc2997b37,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,951f8ffb-c136-40c2-a914-189fa5a59a50,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1836fac2-6d52-40a8-8db0-bf29be5bf030,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47afcbfc-79f2-403e-af18-0d90e09d365f,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb5e67aa-8c62-4c79-8c20-22df51eb3168,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97d7cf2a-f13d-49ec-9b48-ae769fc1e8a9,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a06f0458-ef1d-42d3-b5cf-711244c643ac,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae6026c3-4f85-4adc-aa84-73501b5a4111,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf2e9a6-8374-4a6b-8348-942d66ca2758,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e08337-f5ce-44ce-87a5-015c2a814986,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,536d7094-ad2e-43f7-8e13-e336d831e492,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c914540-83ed-4634-94dd-de926ce391e0,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ad326bc-63dd-4ac5-9fcc-e246f327c7b7,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62155f9a-8f9a-401a-a8cd-c3bd92802546,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccbc6ade-3fff-4da4-bd37-8f4893d2430e,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f4045c2-a045-4698-9226-32476739eb8b,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30d4be58-5b66-4c67-8271-c5d0ca8388dd,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa1e7dfd-b4fc-482a-bdfd-e06f228227e7,"4/16/2021, 8:46:40.105 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34eed136-6264-41c8-b82d-663fdb5c8cae,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad26e36c-9da9-4de7-b959-7c6d1ecdb8fd,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86df0976-d5b5-41f6-af95-496aa8aaa7c7,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 536 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83ea803-c11c-449d-ac0f-fcaa6b8e8fbd,"4/16/2021, 8:46:40.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad5cba91-d360-4df3-a0b4-4ba5980f6426,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58d3ecca-8fbe-44ae-8c95-d5cc332bbef8,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7960710-fd71-4bc9-9f53-b3a727caf2f8,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ac759e3-9fbe-4a3f-8e83-0116d59f33ae,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d68cb4b-a5fb-442d-a9c2-99d23be7108c,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84573fa9-b3ae-4eed-8819-02cb8eb43f36,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\ADMINISTRATÖR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0233d71-cc13-413f-a4b4-7595ed02b016,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d4c7e4e-42fe-492b-b12f-af8d3202c0ca,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ad2fcce-f398-4b38-b349-31ef62b2ae52,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d86c9c9-b0e7-46b7-a40f-1ef3cabc302b,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63c40037-e3ea-448f-9d25-aefaf6f29539,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f99b06a2-f73f-4a72-aa30-b772d3f77af1,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be89cc82-48be-4580-a06b-170b1d5ca848,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc3cb1ad-866a-4915-895a-3172cbe9d2d9,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,242c7882-2873-449a-965d-d44d39fe63a5,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c82a660-e12e-4b4e-bab9-f927d7e1c89a,"4/16/2021, 8:53:09.690 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d79a64e5-1bd5-43eb-b4a4-a95876cbe475,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bd537c2-4a1e-488c-89d8-914a0098d8ed,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da4190bf-918f-4742-b53f-dfba483c1972,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79cf7b5b-63a8-4f29-8f5f-8eeecb7bdaaf,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35e68376-c979-44c9-b089-ab88d7fa19f1,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a58468e4-f475-4559-965a-e99cf99348ef,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8309cb51-5685-4872-934c-a4fb71cf52e0,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d728609-32a0-4219-b839-5987ef70e9e8,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72326f90-8943-43d0-922a-4217c3131c3a,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\DXX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f5808e1-9710-4390-81b2-aa92e47b17a1,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\DXY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64e1870a-7da5-4289-94fc-09d57db291bf,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b07022-6459-4ab4-8850-47519680a067,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1189fd4-d56f-4f9d-b11b-45629919a851,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ODA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d3a3adb-f7b0-40fe-af44-eb30ed8b6c30,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1421d61-3895-41e8-b6dc-33edef1f0fb7,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21949dd5-e6e5-4bf6-82a6-fa02bfa29707,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5414411-9f6a-42a7-947f-4a3703d52c0b,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c65ecd8-404d-450c-946a-ab7482f25217,"4/16/2021, 9:04:25.121 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,28eb67ef-62a3-4d60-bd0c-5ceffa746541,"4/16/2021, 9:04:25.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e07db90-4506-4d78-9cfa-0b18f0e66d5f,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d64643f4-96a6-4d5f-8856-b2ee75d0f54e,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ebcaeb-b581-4baf-8ec1-7cef5e3a421b,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3838eb-1fa3-4b0a-8f3a-bbaa95445ad1,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1636 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29cfacc6-7dad-4296-800c-761badc8e1c9,"4/16/2021, 9:04:25.121 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29c01b33-2edf-4913-8805-375c2529a8cd,"4/16/2021, 9:04:25.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95d6df1d-72b0-43a8-a5db-756ab86f608a,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ee7b14b-a77a-4226-a5e4-4125792f693d,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e8311b4-80f9-4b17-a572-dc13e83bbacb,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f42a7a6-2b44-47ba-96ba-72add2b664b3,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62db7137-409c-4ef6-a612-189793500c80,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b95e28a-de69-4476-bcfb-daba1b851d0d,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4ea982f-c3d6-46c9-9b26-15540ab7c059,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b4084f6-c2e3-4a45-b269-e80b61974732,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00039051-5191-47c5-a616-ba4c48d7e054,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19eb1084-348e-443d-a118-f6aeeb74ddcb,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fed4a089-ccfd-4d4b-940e-05f74a11a0b4,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b629e81-876b-4222-b65d-8abdaf156dc2,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58db2a12-b6bc-4ec8-b4ae-bbea68a0e187,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f0b2938-8f28-4a7d-86c7-2e23c6297045,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae3ca937-46a4-403f-bcd3-eb5fd3956f09,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,010a9ead-1803-4ae8-8048-3ab236eca3a7,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ca7326c-4582-4a0e-9f0e-956a3943498d,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16212ac5-6dfe-4331-8ec4-6add061cfaa3,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39695573-db10-4e22-9ea1-9932e5749951,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bef658b-b974-4905-ac7f-7a9ee24d9655,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4c7d409-1bd4-450c-907d-845b0c91f7af,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de15d7e5-2871-4750-9ff2-f1edf65eccba,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2e89c42-0764-4deb-a481-693999e62389,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\HELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3586a552-5d42-44a0-b04e-61bf20a04deb,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,455e58d6-7132-4336-8692-30f58aa1592a,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,681968a3-8b71-41d2-aca7-36dc456d1e75,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ed0ff3e-60a3-4f3d-a127-e73f5c62339c,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ef2b846-43c6-4a43-9866-54c939b7b169,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cd64f19-c801-4551-a584-fa8eb311d74e,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fe11899-1746-4bd8-8b19-9dcdf3b84fbd,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2568cf9e-caef-4cbb-b614-84ea82e866a0,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1e4ad19-eae6-40e2-9420-a1b8330e9e66,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69008d15-468f-439c-96c6-718e2327ca1c,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b2cd93f-2346-4ded-ba5b-f5061ea819cf,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6224 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,38c6c1a8-5ad0-4bd7-9a0c-38989a6d5d44,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5d943e9-0f6d-499d-b541-876416c2014c,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,bd36ee6a-0b42-43c0-b1cf-c6fd28b807e5,"4/16/2021, 8:34:49.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8fbbe7ae-1edc-4f34-8237-99f27a57e003,"4/16/2021, 8:34:49.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13084 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1008_2021-01-28_130107\COLLECTGUESTLOGS.EXE + 32 + 9CBE23B245E1ED128DF262318D623E57C98A79AFDD407B13BD8A2C82CA79796E + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d68aa9bb-e51b-484a-a13b-d56699ab1ae0,"4/16/2021, 8:34:49.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11320 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,65f48051-7a46-4a4e-9372-0e6dc176cc67,"4/16/2021, 8:34:49.257 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95a35c01-b55a-4d6c-a7eb-54f6b08a6cd3,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6d7f3fc-d3b2-468c-90ce-63ef36891fcc,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b91b21bd-8333-4487-aca6-229741a3bca4,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37b9d661-2be4-407f-8089-e6efa860c638,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31cb2025-fac8-4678-b1db-e408b1ff18d0,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8966baa9-8058-4d9e-bc99-0f3234ccf3b6,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c28fe850-39ae-4292-9534-dcf6b7619725,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,500e2f26-0e45-4f76-b6b7-89c402a5c306,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,709ac71c-b229-4863-941c-3acba30efb1e,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,319c8ef2-f229-4490-90d9-613eace56cea,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1b71d92-4266-413c-a7c3-c4474789436e,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89b69814-527e-49f2-9fd2-a5701d8051c6,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af03bf7-d8a6-4e90-9bb5-bbefc5d39cec,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5374a22a-34b4-4650-9894-d3a2077979de,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,067e6f3f-a1ee-4bc4-bc5d-bfbcb841b003,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc194e2f-92c2-4498-8313-59fe5f2b5676,"4/16/2021, 8:36:05.597 AM",,,,,,, +\WGONZALEZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c95cb18-ec90-4e37-814d-7fe9b837af8a,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57cebd85-9f1c-4ec8-9b6d-067e634d5954,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a601245d-db0d-4685-bbf4-6ceb860fc2a0,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,871b7913-c201-4729-a5e9-c3df48e0038a,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c81d0b7-58e8-4fbf-9ef7-dd7c7d000aa7,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab87f1e7-3c3f-48c3-8b06-1c484cea0af9,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,882946d0-25c3-404e-945a-bb1bc50243e6,"4/16/2021, 8:36:05.597 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49104693-f006-49f6-9881-4a753b9c3fc7,"4/16/2021, 8:36:05.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,63844b5b-ed4a-41df-aa5a-5cfa97e91b07,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e7210320-d52a-4a2f-9194-10eae01e2949,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8368 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d87c4818-3965-426f-8351-3f90ea104505,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9560 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,856cd6e1-80d2-4aa6-bd62-604890ddc4fa,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5780 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8af0ca7e-ddb0-48b7-a402-5df76b2299a8,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10636 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,51aba4a1-3beb-42cc-b3f4-e1ace1100c92,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ff161b60-7146-419a-9ce7-cf9c286c014c,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab4e992a-139b-49b2-8a8a-a7d37522aa92,"4/16/2021, 8:37:34.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8432 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,44be4562-13c2-403d-b01c-718725d170ec,"4/16/2021, 8:37:34.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c11a16ef-1327-43c9-a936-b11a6557bd26,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,56fe9790-9224-4f1b-aabb-427d6c49462f,"4/16/2021, 8:37:34.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5760 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,aa88d071-faa3-4435-be05-e1f24e15246c,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,eaa547de-e58f-481a-afc5-7f6ce13eceba,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e81c9016-9762-4324-9fba-907fbe477bca,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dccdb772-e5be-43f1-84b7-d838212804ca,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7a18979d-3312-474d-aa18-024cac4708a0,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,918935a2-5550-4383-a811-aa5cd94c1c2d,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5460 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b0e63eb2-64e7-4e3e-b653-6913600ba4c8,"4/16/2021, 8:46:46.763 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,18a3bcf0-7984-4eb7-a0fd-85b23d48678b,"4/16/2021, 8:46:46.763 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2949292b-bc43-436f-aa97-2e018cdabdd7,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c1b1e0fa-150c-4d9d-b2a7-e012a89ae7af,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4144 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,20c27eeb-6f88-4937-8f5a-88a891b30a68,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5536 + 56 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CVTRES.EXE + 32 + 9DED0B484DAB4C855638FF211AA738AB5ACFE45E12331060A363F0FC33FA365C + 106 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CVTRES.EXE\14.10.25028.00 + 0x3e5 + 58 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f419e40f-6bf4-48c1-af41-b47e331bf6c9,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,be1e7d8e-7b11-4415-850e-fb985e292a08,"4/16/2021, 8:46:43.862 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,12f8b4c7-bf86-4357-85de-e1dc9745d335,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9963d796-a6e6-4ccd-8a62-7505ee2977c8,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4484 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,17a473df-924c-41a1-9e02-06a63d4e2fc5,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9b7c21b3-ac4f-4d6a-a26d-e18433812b66,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,352f27ba-5215-4bd5-8b6e-8f17894593ae,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 3372 + 32 + %SYSTEM32%\MUSNOTIFICATIONUX.EXE + 32 + 76828F80AF11966F0857B066E3E402F41F46983D159864096576C84731EC1F37 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MUSNOTIFICATIONUX.EXE\10.0.18362.1411 + 0x7a17996 + 41 + C:\windows\system32\MusNotificationUx.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ef283921-e3cc-4166-a0ef-ae379b90aece,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10272 + 24 + %SYSTEM32%\USOCLIENT.EXE + 32 + 3942ED22D1D683E626E94ACCD9538E1999E488EE68D1DB541B383E35E4280E84 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCLIENT\10.0.18362.1411 + 0x3e7 + 33 + C:\windows\System32\usoclient.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ee162e36-43db-450b-9b33-3555ba8e437e,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + %%1537 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",4663,4663 - An attempt was made to access an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:43.862 AM","%%1537 ",0x10000,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + 0x284 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + {00000000-0000-0000-0000-000000000000} +",4660,4660 - An object was deleted.,5503048d-aae9-48b7-bda5-46b931ec9ed1,057c4e1d-d777-4345-a289-5d1f159db682,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Output_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + %%1537 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",4663,4663 - An attempt was made to access an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8aabcebb-1e29-4df8-ad25-8e8c7db31d6a,"4/16/2021, 8:46:43.862 AM","%%1537 ",0x10000,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + 0x284 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + {00000000-0000-0000-0000-000000000000} +",4660,4660 - An object was deleted.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d9d95464-6175-454d-a524-0aa3780d429b,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5344 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,30f45b5d-b4f1-4b34-b5b7-39696ab595c3,"4/16/2021, 8:46:49.266 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12864 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3dc2cd3d-4f41-404d-a02d-8fcd964748bf,"4/16/2021, 8:46:49.266 AM",,,,,,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4721644a-c499-4a6d-b547-c9ce5fec4821,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a41ab327-bf83-4fcc-972b-247978250809,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,194b80fa-c1f9-4948-b2c5-a2c9d9b3c3b4,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7340f99-a066-43e6-bc23-ffbd93a420a8,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f549fcd-e15e-44ee-80a9-29dfaaa272c0,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aefc795-6a2a-49ab-b56c-3fc788626fcb,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffed04a2-4a41-4caa-97a3-aa356001b39e,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,beb3215d-e5eb-425b-b463-ef2d02507780,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7d45bd5-9c89-480f-9634-cfb81e53c365,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3279749b-996a-4770-8f60-9a36e9dc33e6,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c45d093-a60f-4d46-b7ad-2c20a3a1453f,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d8ebb03-796a-4cee-95a9-e23ed724da86,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\ROOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d71f0dc-6d60-4015-bdc4-78f94294d924,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e3775e2-9b25-4008-aa76-62a8e11dc951,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0332dcf1-2e64-4ec5-84fe-589ff1b262d3,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88914dea-1aae-40da-bbb8-01d16cf680cb,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c30b6c73-fbb4-4daa-9bc9-109573a570f4,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bca0056-5659-4fc6-87a1-4f9ae8cdd509,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30eaf443-69b9-4e4d-bf24-26f0dda37fed,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84bb148f-d65e-43d1-be45-d03887e0e0be,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7b36215-3bb7-468e-9520-7844f163a631,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,222dfa4e-d3a5-4147-9f0d-4ac6280d99d4,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,18c73f9e-4bb0-4c00-aea3-11faadcb0603,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,013b1e81-f602-42c0-8267-a740a89614d8,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8ca0c45c-85ab-4cf9-afda-57247cfbd01a,"4/16/2021, 8:53:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,478830f1-baaf-453a-a404-f504506c59f3,"4/16/2021, 8:53:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,aafb22e4-1fd7-4537-8540-c43300fe266d,"4/16/2021, 8:53:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6508 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,359a4d2b-7935-4f18-80c2-620536ce434a,"4/16/2021, 8:53:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6a992f9e-34ae-4bc5-9f31-935d254a91cf,"4/16/2021, 8:53:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 2880 + 2021-04-14T17:26:46.227217700Z + Microsoft Software Key Storage Provider + UNKNOWN + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\dae75cc8e42badfb4c6fab1e32d87778_c950dff7-78b1-4d88-9861-fed650de2b5e + %%2458 + 0x0 +",5058,5058 - Key file operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f392c0d5-dc08-4770-bed2-0941e2bb5b91,"4/16/2021, 8:53:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9e8ecdf-3d36-47d4-b0b3-4ca1f2f64784,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 2880 + 2021-04-14T17:26:46.227217700Z + Microsoft Software Key Storage Provider + RSA + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,589778d3-e330-438e-a9fb-87321c1af16e,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 2880 + 2021-04-14T17:26:46.227217700Z + Microsoft Software Key Storage Provider + RSA + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b7377695-ce6b-49e3-a55e-12ad63a206be,"4/16/2021, 8:53:09.862 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d101290-281c-44e9-add8-50740f3a96a8,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6885b649-db16-4a81-98df-84a0eed7e05a,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3e84ab9-f159-4227-99be-65d2f9c1175a,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,865d5507-740f-4891-9088-ec1e20245f23,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00fe7488-53d2-4a7b-8b87-9974e0631b01,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42232f7-6b18-406c-a223-ba1d1719e928,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae3be0f-886b-49e2-861e-dc6e9d373bda,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94823bca-d91c-44c6-83fb-8d416548a6b0,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5fdacb9-d160-49db-89c4-b3f53550a9d8,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\LAB,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a7e645-eb49-4451-85db-a5a4dcc15903,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1779bee0-9a5e-4fa6-98f6-06d35d4d4086,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\BJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a2c9874-73a1-4671-94bd-ce2cbda39762,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78f61cf-30dd-4d07-9bdc-888bfd9a8627,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b9ac436-dda4-43c7-9a71-e2c509bc3ffb,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9de0f4b-d457-47e4-aaf3-b426160de2e5,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8138329d-135f-4661-a0ce-fff903719861,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df69060-3510-4ccb-8532-8154b46bf41d,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0601272e-51b0-4b6b-aa4e-d35dea796c14,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e68857fb-0bae-41f9-b5fd-908333455bfd,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14796e4a-b68b-4f04-ab47-1ea41cee3a25,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,174092b4-eb98-4b85-8fab-1b0b09d51c50,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb6a7022-40fe-4f12-bd31-928511eb5514,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73d9892-697b-4899-9bdc-49a1fb3ac7ff,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248ffa3a-17db-455d-8b43-646fedbcf626,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4c73849-22eb-4ebf-bc39-3ccc6e1ae47a,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3aab571b-2d87-49b4-8cf8-0d317c8761aa,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5cf7c2dc-19a4-441a-b86a-be4041e15537,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b80044df-d184-4792-8678-00e51c671550,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d9927b5c-932a-4658-a4e3-3e9642d0c905,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6cdfbebe-f05c-4ba6-b529-1de0e5bf2b37,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f6f81851-f5f8-4956-952e-b7c8b8794073,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d8cccea-f271-4e6a-a53d-e9703da87c81,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cea01450-4726-4d7e-8b3d-5dba046d840a,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8e168590-7127-46d2-ad7e-c26d4b189e77,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4de641cb-d566-49d2-882f-f5e7f7cf60e8,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ebb00c2a-80ca-42ef-9e3f-ed612ab4d611,"4/16/2021, 8:53:16.053 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4bd19f0b-380e-4704-af4e-ff641002aebe,"4/16/2021, 8:46:51.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc164dbe-ed07-4369-b305-6f69f464a57d,"4/16/2021, 8:46:51.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9c4e9c79-c69a-47f3-bbe2-d20fb4d8426b,"4/16/2021, 8:46:51.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10732 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f1b23d3-b776-40d0-a200-df48526233f4,"4/16/2021, 8:46:51.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,82cd14b4-2d6a-4425-b3fc-55060b7b8618,"4/16/2021, 8:46:51.546 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba4afe27-e60e-4f01-9ecd-a310bd5033a8,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eac1b9f3-282a-4003-8e4c-123a6143aeea,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18874c0c-3c21-4cdf-ac13-1e5d9893acf2,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b39ad0a4-e481-4dbb-8fd1-6d817fe4d2aa,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caac423b-c402-47aa-a6bd-d7cf5a990a5d,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eeb42fde-2952-429b-be45-51e7b25dd471,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26c7ef50-418a-49f5-a77f-bbb12e55f133,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310f4270-61c1-48f9-aacb-620de85b0195,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85a0bdfc-e240-4a08-ae3e-5474b0f9eaea,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca1a783e-8bc2-47b3-a898-a3ba09275c22,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b29273ab-f86e-4544-afff-3364ff5b802f,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cc210a0-456e-474e-96c6-232d33ee6683,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2beb02e8-6589-4027-82b4-0180366b2cdb,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2072dbee-57e1-4898-bebb-194340a922dd,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f9ca5e9-0692-4bdb-840f-07ccc4ae9ee8,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28dbebd5-0449-4ffe-9f7e-e429e90a59c9,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,badc2182-5838-4531-b27e-2a83ae70a1d4,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b03b659-b771-4c03-9a94-9de128ae3899,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e4b9552-4c33-4adf-b8ee-64452569279b,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1765dfe7-7f4f-4219-bd53-c29ede73a833,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b21617fe-644a-4636-9411-3ab5165e9606,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee0cb75-2365-44f8-982b-ac296bb0aed9,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9412e80c-043f-4b17-b73b-7728401f8389,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4837f58a-6afc-47df-be46-b92ca4fcd9f3,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7acb8b97-d0fb-4bcf-b196-29c0c760fc7b,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,709fda0d-d8db-4de1-9592-0e0a6f13abc7,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,216858e7-9b4d-4ba3-85cf-b3d5dc21b761,"4/16/2021, 8:38:09.898 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5c426a32-757d-439f-807a-6b09e2b2ea79,"4/16/2021, 8:38:09.898 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3229d391-fee5-4330-b36f-1b007441f951,"4/16/2021, 8:38:09.898 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5696 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9203c3ca-05cf-478d-8e2d-64b5cc57cf37,"4/16/2021, 8:38:09.898 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6ccde3a8-a691-4b80-8ef6-a5e6c733f547,"4/16/2021, 8:38:09.898 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3648 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c67af8d0-4b8b-4d61-b43c-72131877c73a,"4/16/2021, 8:38:09.898 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,134c0d3d-eeca-4958-baf4-f01d6f337786,"4/16/2021, 8:38:09.898 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,11372bce-01ff-47a5-9ac5-787dc0341d17,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3001af19-25c6-4ddf-b3b2-cd15e8a5e410,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b9f5b969-fbf6-4e05-8140-97ed46ca88d7,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f37b1920-8669-4b0e-b2c1-a30fb0b7d343,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,205a09d0-8292-402b-be45-389d0691465e,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,83a69a6b-1716-48cf-a516-fd92a6e4ce8b,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1e58ccf-f407-4965-ae5d-1d41cd9f2a97,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,db74f9de-37c3-450a-a386-eab08b9717e3,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,58573a93-a860-409b-a2df-5f08164508a5,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8b838c3f-989a-4897-ae3a-36c6d8b2edca,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,49017ed8-71e7-435e-9ebd-ce341f6783dc,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,863a0feb-cc4b-419e-b7fd-ad71a4824672,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eab22404-a43a-46da-9046-6bde44f6e725,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1eb103cf-b951-4a85-9cb6-d5e89fcfbd81,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f9a0b19c-57d8-4a36-9bc0-37ce8f619d6e,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,471c7f97-41a3-4490-ae21-7099a8c6c537,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fd080312-25c3-4838-94ed-cac446c567f5,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2e873669-7be6-4c3c-a4af-50368837d6f3,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a01d07f8-b2c6-48da-b864-5e12903229e8,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2e818f61-39c6-4dd4-b9cf-b3e7c86731dc,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4b184560-f9db-4b6b-9d41-eb6734fd32f4,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0bf33626-fd27-48eb-aef1-33af1546fc1e,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1ac6a09-e36d-4f48-b034-4f00eb4021fc,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b02291db-f646-45e1-961d-f27e4199541c,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480b56dd-48dc-4c4e-a650-ee810a53ecc3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,084b39fd-0b39-49fa-95f9-a7726b3e65ed,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,9643f5dc-92f7-4313-8190-5b42e3736b5e,"4/16/2021, 8:38:36.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38bc5301-6483-4835-8bda-aa46043a1af4,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,632370b7-6f2d-4301-9658-9ca29bbe35fb,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b27019-f12d-4cda-afb8-3d427321693d,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e2971e2-a2aa-4ea7-9532-7f45b6627274,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a5bbe2-074a-41ac-aa57-779e925b5d52,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0740f92e-2930-4a7f-b945-03beaa842b24,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c37ea0c-5993-4a60-8f44-f870782438f3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23224d67-f5de-49a5-a050-d077f5b398a3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb4f4d4-9736-49b7-909d-cd2541163fea,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78ec088-51d3-4104-9ecf-8457ab31941c,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,542433fb-a835-40dd-968e-96d40fd6218c,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec70c756-d757-434d-b312-5e0a4cfdd0e3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8da934e8-b9e8-4d92-bd89-2884f8c91c9b,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4658789d-18a9-498c-864d-eca02c8b63dd,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,769f435a-eb16-4954-a498-4db55b550f9c,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bce65a21-9e56-4078-b002-00242fb65a04,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e6dd07-6b91-4027-86f3-6797866ebedf,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51310e2e-f05e-45fa-8344-b297eff01740,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,219cea5b-995c-4a84-906b-52bd58082e3f,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a37de75-008f-46a6-887b-da5423517417,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,047517ed-c8af-49d0-999b-2799dd47c934,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,926a2747-38e8-4e55-8825-6c1ed9f3e961,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d5660bd-bdff-45c6-97d1-b193ccd2114e,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba1c123-559c-46f7-83ae-6f172b0a2237,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b97703-45f5-42b8-8bee-3f76aa282cf5,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b52d6ea0-8953-48ca-97a1-95fb96145bc2,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02174d46-0002-44d9-b469-f607978c519b,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6444a904-d3ad-425d-9ced-eb4a358ec4fb,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca33da45-89a1-4218-8714-712a2b645885,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f5a8d3-c7c7-476b-8fc9-cc047bd0fc95,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d2e0fbc-2e75-49ab-8d9f-cf6a0c05649f,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3af1db51-9248-4b0d-b312-ae26ddee327b,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e8297cd-cb16-417a-aac3-86f9aee30412,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe6f7a2-62f8-404a-820d-4393074239b6,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd15d012-5e14-47c5-a039-2efa216824f1,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,426b77c1-5719-477b-a5d6-20bce313ef93,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac0229b9-6052-4030-8e55-b3674f4ed2cd,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14585b39-f197-4c8e-8fe6-e43fd689f575,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ef65fd1-6f0d-455d-88a8-b59df0edd244,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169b4acc-a72d-4e26-9921-f276ce551f7b,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,715d0fd0-fbe2-4981-b84f-e18266b9a580,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5327b96e-5901-4715-82e2-1a91b8d2cb6a,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d5ac7fb-4d8e-4340-89a1-34c9fe769276,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c15f8ca-aaa7-4b73-8e1b-c9e8ad9eaf86,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,843b3711-b294-4892-b2fa-05c79fba5441,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5399fa4-03db-453e-ae44-5a863b39cfcc,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,487b0b61-3ae1-46ca-acaa-409b003a58db,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,201fa444-03c5-43a3-b955-1911395faf28,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2de0fc9-5759-47cf-9f8a-540aa7fb39bc,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dc6f536-d9f6-4ec9-8a55-8610a7138173,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4da2e6b-9cee-4ae6-9f5c-95b52a2f607a,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cb4492a-0774-4bce-a8a2-76ca7c712815,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd9cf9b-a0eb-4191-be03-5996cc69ffd9,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d0d285e-b211-4844-897b-163fdb4c99d6,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b19c885-4ca7-49fa-9db3-43f580548409,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f38eefce-2bc5-455c-aa57-cf90a286ef00,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07af5ea-4104-4d06-a2d8-40f8bf4bf4f0,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f13c5dd-fcb0-4fef-b2ba-3a9d28d70864,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfcefb91-7544-431a-8ae1-d24ac298dede,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f03ddc3-0cc1-48f6-b447-eb444d329644,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97c9266b-0cee-4a7d-b5e3-a1185bea1423,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0f191d0-12ec-475f-bf66-1901c98a6675,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62df658f-1259-4b66-93bb-baf93bca6a3b,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cca72bfa-d1d0-4f9e-89ab-4e20ecdc873e,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f94e8b97-0780-4306-8f04-2ff0a07a66c3,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60582b12-9dd2-4f51-ae57-f65632ee2023,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4528 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ed6cf66-c976-45d9-888b-ad2f96c24234,"4/16/2021, 8:46:51.546 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4fc6478-208c-41fe-8cd6-61da622be071,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f72dc8e5-8f77-492b-a97f-48d8bf3df040,"4/16/2021, 8:46:55.122 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6928 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbfff4a5-b5e4-4dde-b62b-d1b3aa2971fc,"4/16/2021, 8:46:55.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de3b4c43-1494-4d88-9fac-d4a0f1c1c6d3,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6c2bca9-7917-4e3a-b0eb-59337f8311ca,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ac90892-392c-44f1-8335-ab2dbcfc6f2d,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91cb240b-1e47-4a36-9102-774b4f0d0add,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e67a879d-aca0-4507-bfd2-20528945f53f,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,403e742e-ae23-416b-947c-d7393a9167c3,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc10e73f-0a92-4873-9c82-2e688c5ead82,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0bf4c17-2e5c-4b12-b8ba-064848e388e4,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c19e1cd-3fbd-45dc-b188-689028e2bdad,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,665824eb-d4c4-4044-b6e9-45f68515de22,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945521fa-a673-4921-97f5-b8b2548be75e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22f0eb96-54c6-4a21-bb75-19c7d3ca016a,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137cbe0d-ee07-46ed-ad4c-4dc1d6c8bb3e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2de16f6e-69df-466e-91f9-c11a27fc668e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\MAIL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e35669c6-2590-4468-89d1-8ec27b05a40e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c07c5a-f607-47b5-9fa8-a08985cafef9,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed1dfcc-3f73-41fe-9767-0bb81622f7a3,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abb113dd-4f61-4af9-8746-8baa7af04de1,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d12f1e4-4ce2-4cc6-8c2e-2079d950b712,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08485c03-c523-471d-99eb-ca3eb88bf5e5,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54074425-11e7-42ab-9b3e-a6ed20e076bc,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,327a544f-bf5b-4956-8784-614be507537d,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70e30f0d-5fc9-4920-aaed-be49ff886686,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fa7d06b-39a8-4d01-a938-c52e7927c326,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db3ec03-114b-4280-ab45-6354a87ed76b,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add1937a-a450-40c5-89b8-787845aa42d0,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dff035d-e0a6-46c3-ace8-8464ff6d9c70,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acefc177-dd4a-4d0d-b137-9c834c447b73,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b4cefc-e34c-48ad-bc70-11a958322be6,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47712486-d316-4c25-be29-96055db53440,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b035d7dc-8942-4f30-865e-cf691ad60156,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8af270b6-fe08-4005-971c-45286563e0ea,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12230559-aa66-44f5-b6da-45570e060ac4,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,816ae907-ade0-44be-887a-5892916e2039,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493c43b0-b6a9-4983-b130-33b0bca73369,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0031e81c-7800-4fd6-82fc-6938f8316ca8,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a1721f9f-8d92-4c91-b301-7688f5adf596,"4/16/2021, 9:04:33.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c16184c-6218-4520-9e62-198771e9ae52,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,485d7e71-da27-40b2-a2c6-f55894c2776f,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9400da99-514a-406c-8bfd-d2916dd5217a,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80a019d-f1b6-4936-830c-4e475b60183a,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c72c76d-4afc-4880-a652-06702eb6f8d3,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9b9e83-a47e-4260-8d8e-85d2fbe5b92a,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bed793df-cf92-44e4-9801-87eb34badf91,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12016 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,805140dd-0722-41aa-9387-f08d80e11463,"4/16/2021, 8:46:57.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10744 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,0e17d748-538e-4f74-9cd4-cc5dde58630c,"4/16/2021, 8:46:57.116 AM",,,,,,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eb6c8bd-edfd-40a6-a837-8ffdb4b20d0c,"4/16/2021, 8:47:02.612 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb486bac-440a-4bd2-bced-1a6795154c5c,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c03d219d-f8c0-4b2c-95ea-80e206417a43,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cd9d6f3-35d2-4869-b130-893db9ad0c0c,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,196a9a0c-5e5a-4708-83e1-9601de400b3c,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3df2df53-13d2-424a-8ce7-0f7ffebfa5ba,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b362bc9b-5ef8-4a09-b3ff-08b7174275ad,"4/16/2021, 8:38:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,845bec05-c6bd-4957-a1d1-de6790e3dbba,"4/16/2021, 8:38:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,791ac912-694f-4fb7-868e-d4db9d5f7253,"4/16/2021, 8:38:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e4b76968-fcf2-49c4-bcae-a56d327a837a,"4/16/2021, 8:38:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94e46d6e-ad74-462c-a883-8431537935c9,"4/16/2021, 8:38:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c839bb80-4589-4591-b68e-1b9a0bd46bcd,"4/16/2021, 8:38:52.739 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,59152071-0e0b-4c4f-9260-d0d51e898187,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9184 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a41f76e-6eb4-4412-ab6f-38e76e7b0d0b,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10564 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ac39f05-4742-40a9-94ca-581863a63d7a,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b57a115c-2d77-410d-8951-588effd584b2,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b3edd799-eaaa-4100-b074-d49659d2478d,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1372a5a2-b4d3-494a-9420-ee18d0b3cd77,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f9648e15-96ad-4351-878b-a06e613a4c8f,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 10392 + 23 + %SYSTEM32%\GPUPDATE.EXE + 32 + 4E2D85458A3020FD0DBFC227C5779B02C4E80437A5BAD96766B0FAC8D955615C + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\GPUPDATE.EXE\10.0.18362.1139 + 0x3e4 + 32 + C:\windows\system32\gpupdate.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,df3e6ff5-f610-461b-854c-ab5bbded24e0,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6080 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e4 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,17fbff9d-7ca9-4672-adda-48d8fc9bb281,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1776 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3c770642-cb85-49a2-8f07-408df10719bc,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + \Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Author>VICTIMPC$</Author> <URI>\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}</URI> </RegistrationInfo> <Triggers> <TimeTrigger id=""GP Periodic Timer Trigger""> <Repetition> <Interval>PT1H45M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-15T20:23:50+00:00</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> <WnfStateChangeTrigger id=""GP WNF Trigger""> <Enabled>false</Enabled> <StateName>7508BCA33A0D8B41</StateName> <Data>01</Data> <DataOffset>28</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""Author""> <RunLevel>LeastPrivilege</RunLevel> <UserId>S-1-5-20</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>6</Priority> </Settings> <Actions Context=""Author""> <Exec id=""Group Policy Background Processing""> <Command>gpupdate.exe</Command> <Arguments>/target:user</Arguments> </Exec> </Actions> </Task> + 13510798882126355 + 1776 + 780 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,7854e7ca-a660-43f7-81cd-9bb953428bf3,"4/16/2021, 8:39:02.526 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,e232f0b3-a635-4f73-93da-b0b95615ffa5,"4/16/2021, 8:39:02.526 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cf64193-5579-461d-bec1-8285bd4e6293,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d559f4d-7fbc-44c0-9f5d-e216b81230ea,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeb8fd23-1cbf-4418-bebb-ce29d719e338,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc46e13e-4caf-4b74-9360-ede9920999fb,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fdfc938-5f24-46d8-9928-e1f1798d3361,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54dc21bb-bf90-4744-845e-d8fc5b622d59,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cd2d12b-52fc-474f-9b96-0427b1a5ae4a,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adbe7a64-25d7-44db-8ce8-4d737220fdea,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,708e9143-060f-4956-86a3-7ae6b77e8a1c,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a808db03-7c0c-466e-9322-6c52a39babc0,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b0257f7-0650-4a07-bc6e-d2c659c03f39,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6952e2be-be1f-44d6-881a-42b8d759291a,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e16a74d-7bf7-471f-86e2-26f182836bf0,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f49ac74-6b9b-4e74-ba3b-4e9b41d8f52f,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5f4793e-8709-4b52-b16b-ba09230471de,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,013518aa-553e-44af-9c7f-de6e47f748d3,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef14b58b-db98-4ceb-a680-04e91e404d25,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54b31c8f-0df4-4344-a7e5-55c7c3bcf99c,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcccacc8-bfd5-4cee-9313-8d56a800b518,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605e2cb7-3a40-4b19-9f5a-00514b7141ae,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6ec49e4-6c07-4326-8d47-e5d20a5151be,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3f49db0-fda9-4f2d-a47c-cfa50e7c18c7,"4/16/2021, 8:39:04.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ec868a-5ac7-4a3f-beff-37bd4a7928b0,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,062119f5-9076-4e49-95a7-145ba5396ebd,"4/16/2021, 8:39:04.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd68af3-5d9a-4b32-b3b9-cbff414833f6,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7704 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac421573-692b-4032-aea4-d0e73611431a,"4/16/2021, 8:39:04.102 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8520 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b90a5ca7-bce0-42de-a49b-bf31c1fbf5af,"4/16/2021, 8:39:04.102 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1092 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,578e6163-cf49-4aef-9670-c60847443624,"4/16/2021, 8:39:09.861 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3480 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,18d11c83-665d-4181-aa15-094da240a347,"4/16/2021, 8:39:09.861 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6120 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eaf796bf-96bf-4eca-a8a9-e5bc2dafda7c,"4/16/2021, 8:39:09.861 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6492 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,297cccf2-d752-47f4-a60d-318fa9c3dc9a,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b5f989f6-9640-4a5d-841a-12b92cb18bef,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,66775c10-b195-430c-b307-fcf58d0751d6,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5914a077-38b8-4328-bc3f-8bf8f4c0ec5c,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,219669e4-201f-4375-8d77-dcdcc74f2319,"4/16/2021, 8:39:09.861 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2445f7b5-7540-475b-882b-9827a7c4a697,"4/16/2021, 8:39:09.861 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,015e130b-0402-49b6-a2d1-40e60c45825e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23d5839a-869a-4944-93e5-94224ee724ab,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d934c21-b280-47f3-9557-29aabf223d42,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12fa6f8f-3c4a-497f-903c-710288faa87e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\TEMP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56e9abc0-ca99-4317-b602-456f815372a7,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a82b645f-f657-485e-bb1e-94fbeb7390e3,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5af801e8-9dd6-42e0-830a-77a7db4c70d4,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04cf3327-7eb2-4c82-a4e7-ebd2a99533b4,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,035f9c5d-3b2e-4596-b5cb-2d7c3364e413,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,372b644d-3dbe-4fa9-b6d2-690f8b82973d,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f74dd93-21fc-4895-b0c4-23ae887d3b96,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b56033-3287-4a80-b379-c75ca34af40e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38bd2a15-b9f9-4ea7-a14d-bc853c06aae1,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02fa7382-6738-4173-9c93-01dcf8657b4f,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e425acbc-2f72-4fd6-85c0-823eeb4f1fff,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,843599d0-e4c5-4911-a591-57d52118c4ea,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fec89cf-deee-42c9-9085-1bc8abbec401,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\SCANS3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15ae1621-805b-413d-a115-ff84767e456e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,522830e7-3f88-4c6e-8a95-16e9a6b603c9,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76fd5571-0cef-4e48-9671-381964c718cb,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08d500f8-cc18-4b19-a5cd-5cd68f9af1da,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d2c8e85-beff-411f-8af4-13a8da2c188c,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da963e42-2786-49d4-b541-8ab679598912,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9c1161-9d0f-4d40-8779-339f4ad2c42b,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73398ac4-4497-4163-bad1-511139cbda0d,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a99c0ab9-3f3c-4dc8-b27c-c466f6feae54,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d647092-f6c7-4adb-8869-fd952d72e206,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9535a494-9021-4f05-aa21-61d3b533a7bc,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,459eb0f5-ef7b-44ae-88e7-d482175dec1a,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1305caf-2914-4aa5-9b74-247c1864809e,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a273b469-55dd-4661-887a-d667effab381,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5cb1e27-2943-477b-ab0c-a91c9fa2c8eb,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a810e4b1-2a9e-41ba-9dc5-1f5b96d8caa7,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54890450-5e18-46d9-ba6e-9b52f8889e0a,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d64f0f9-e7a0-4079-9825-fc1f48526ab5,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06222cc5-f480-49cc-afc0-f03c1e28e72b,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2a78df0-ed2b-448b-98e4-b13ab72449b0,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9842084-5f21-47f1-a8e3-6c8cec74f816,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9695654c-003b-4c4e-b991-445273cd52dc,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,644c1cb8-f89f-4e43-96c7-309d0c03a689,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f05abff5-543b-410a-bc86-7dd6eb48d334,"4/16/2021, 8:47:02.612 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eafc9ed2-d2c7-416a-b193-4a860830f44b,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c943d223-1be7-43e0-bae2-fdcefd087ebb,"4/16/2021, 8:47:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ddd4caa4-7ddf-4852-87ca-c4212157c05d,"4/16/2021, 8:47:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2a342416-312c-4687-b6c3-5c684751a8ed,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,50e34a40-7d2d-487b-ba63-d95236786d05,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c50d0a04-2530-4233-a634-4582f870da33,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c730f682-29b2-4d19-8917-09cfd1a906a0,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3c8cd37c-1d30-48eb-9b31-e9a0047b53f8,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,02b431ec-dc24-4ae7-86f5-a06a8d3b9b44,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,531e2e11-9730-4251-b3a1-c95961b911e0,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e1f500d-cd1f-4776-a710-5c4839addfcc,"4/16/2021, 8:47:03.050 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f5b53bd-e8af-4ddb-b8a7-7cbba7c37ccf,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46607032-446b-4102-a962-b2f4b10b69a6,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385b3246-2b61-4bdb-97ff-10ffdcec3a3d,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ada02890-3692-495f-9d49-aa33bf3c78dd,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,692da997-1eca-4caf-84e6-21b9015f74bd,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,954f376c-1afc-419b-b58d-5c56df4cb642,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54f363df-f46b-4c5c-9d4b-1d54900e651a,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa9e2fbb-e5fa-4a5b-89e8-d21ff0be06d4,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9294e14e-8bb4-4b8f-9c0a-c221a8174d81,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de3bea25-d116-4b77-8850-5523dce6dd9b,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425b8d89-ec74-4040-acb8-e0507914dde5,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cf345f6-a28c-4cda-9e49-a48ffd66686b,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fc1d0e2-67f2-464b-8ed2-b5c52f5ecb61,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a5ffba9-63cd-4994-b0d3-317e43e38ee6,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,561b45f5-c470-4c9c-8bf3-177e8cf44cf0,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30f79886-6e6b-463a-ac84-a22668b16aa3,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13992120-13e3-42cc-90cc-15d42efa0e39,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,789f57ff-390a-4380-9513-1b81e83a68fa,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,416dcbb0-3b19-406c-bf9c-722c3863b6c8,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5353c41f-712e-467d-a729-e29b1a700fbf,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65d358cf-9804-44cd-a224-6877dfab70f6,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b28e47d-a5b0-41c1-991b-7becd7c11f61,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4c8f19-6891-41b5-bf55-8d3906cd0c95,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a4b1393-3c38-4cb7-ba81-2d26e25910ce,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0c20a86-be38-49a9-a8b4-b7740f07e33d,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e993fc4b-0f7a-4c36-be16-1d9f5e85a89a,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41667fec-0a98-492d-8928-664e50e7e891,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7000 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a2822dc1-5ce7-4a7c-a7ce-539f430d8ba6,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,98356859-da10-43fe-a3c5-bb55055747a3,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6520 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c5440b9d-b926-4ce8-a681-c68c1f987265,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7cc8f6c3-386f-4ecb-ad14-d1bb32a3d6fa,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9b66b14c-1867-4ede-a66e-b86af692bdd5,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cc869075-50fe-4d18-a39f-51dc66932bdf,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e83e37e9-7b06-45bd-9f66-0ef0583614a0,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,93d7e0cb-ef72-4955-affb-5d73f82a0107,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,14a1e903-78da-4c96-b40d-8798c22b4a78,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,51d44a8f-3633-4538-bc62-d5ba84ab4530,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6764 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b6aca89b-7271-4147-a469-5b4f645dbc66,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,34cb1e5b-33d6-4b64-bc39-43182a833d38,"4/16/2021, 8:56:45.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,19d4d9ee-0187-4b8a-b157-d7a79eef9ed6,"4/16/2021, 8:56:45.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fc162002-7e93-40c3-b115-ab476c5c2450,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,86cb8a29-76b9-42a1-8e84-dded5ec29f5c,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,26ba2c57-cc47-426e-ba2d-029c02860d47,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fd8e7a12-13e1-4fa8-b34a-179a9df9a5df,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,07e4d87b-3570-41b6-8df9-44d166198da4,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-503 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,82250447-8781-4d4d-b672-fa6135dc2194,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-501 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,035faaff-2f97-451c-a841-80f25dfc50cb,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-504 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5c6e6930-0e6a-4090-88eb-6d314a94da12,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1df8e28b-21d6-4c72-8372-59f1a47e2ad3,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a240e544-6cb6-49e2-96c5-2d2530c4339f,"4/16/2021, 8:56:45.774 AM",,,,,,0x0, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dcd3b77-4a18-4dc8-8787-2af337101d38,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1824aa4-5ae2-4d87-a0a6-4c3ccd623fd9,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76763d43-b0c8-4ca9-b629-08c8f9e7e4a7,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f747b137-9abd-4ca0-a905-ff9f40ddb692,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8252fc77-3fa5-4a16-97c0-bcbbbfbcaf9d,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944598fb-81aa-407a-9414-5dc90e5ba581,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e032dd65-efaf-4b31-87f2-c3c2afbcbb7e,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a59a761-8b44-4180-960f-7376b723b338,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4c5e36a-9ecf-4262-a14a-0d7887ab5e53,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fd5951f-be7a-4331-a785-2d189cf00926,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f502d281-cf3c-4b71-b411-a9eb1b7252a3,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cfada2c-8ccd-4dc8-84e0-5eef0e9c881f,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5a9f775-9077-4361-bf9f-50d439903c1b,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d24d540f-d9aa-4a52-9abf-9db23273e153,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7962131c-a117-42a3-a746-3b7a0562dca3,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d81879f2-a6d5-4681-8c3f-73a82a8ac252,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d720031-55fb-46f1-89f7-9a6da14dbd5c,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,627af539-79a3-4714-90a7-77b13d59c720,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e484633a-79b2-4d39-a360-bb48bec494e1,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b7160c-6e90-4080-aadc-62404d1ee142,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b953404-f196-463b-a969-8b873c34cba4,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f46fc572-ee51-40a7-ba23-484e7fb5a93a,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8250e447-c17d-49c8-b792-d6d6f30fa5e3,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4344fdd5-fe1d-44d9-b75c-81ae442df9ee,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae73f4d-2167-4e22-b2b8-8f2b819c9242,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93bdf0e8-5326-4d94-9c53-4e1d7c7375d7,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d25218c-5f1d-42e6-b0b7-0457261cac17,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dd7a962-2548-49aa-aab5-300f0f9ec92d,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ff69aba-823f-4ba7-be4c-e5cf0b7ba548,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7ccd3db-9178-4858-a2a2-a88d92f24e27,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1397a700-faae-4387-aa8e-d125a0ea60c2,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2efc68c-51a0-411c-9214-90cce09766bd,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6d800e6-74bb-406e-b35b-4a9455ce4e63,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31851ebe-4347-4923-8353-0b25c8b6ba01,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccd0e06a-1059-4727-9c2e-23ca497bbc17,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e091bb47-42dc-4cea-8bda-1c8d2f609e03,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f26d1308-44aa-4fc1-9483-65383eada6cf,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b29ed158-1647-494d-83de-9883305626ca,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,466bd705-1017-4afa-a466-efe0774ce121,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27fd7b66-6e60-42d7-950a-a9ad439f857d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e3f53d9-101f-4dfd-8d1f-1c228dd9fc7d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dace5395-7eec-4dfe-8a06-ad9509d93205,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73a825dc-df9e-4cd8-8c5e-9b48c2b3fc4f,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a383821c-7fed-42df-8513-29e8f9d6ecac,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26eccec6-3dd6-44d0-ae0d-f8888e02a3f0,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a0ad26f-cd0f-4576-a5ce-2e2e96f82ecc,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c90190c2-e465-44b7-815e-ecf11923a1b4,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26f9ecef-0838-46c3-b9dc-9e9ca1069d6d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2558cc8-54cc-44b0-9363-39d8fc2e8d04,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b10f690f-5aed-4958-9d72-82bb0674003d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19f021dd-9787-4a7b-8515-ed8f22c4f2df,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3f91128-bd57-4a6a-af04-186c6cf746be,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,910b1443-7042-4de2-b285-3750306237fe,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2be4b1c6-dd63-445d-b405-3e3d1009a01c,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6e37203-41be-47d3-a40e-ba865b320321,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9728544c-164a-4f72-81fe-f8dd23f160e2,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4592071b-0087-4a18-898e-b16dd42c203b,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d028d014-04e6-49b2-955e-65489282a617,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,076d078e-1fff-4c13-b3e4-37c7c214c526,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbfa3569-588d-49e2-9139-6ca5296bd050,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad6ec8fa-585e-4040-99ad-338ea71425c7,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03de0c89-459a-4eb8-bb98-c735e11c1022,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4648 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fba7cc5a-71be-4b61-b69d-1106d3b34399,"4/16/2021, 8:39:36.414 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,56df71d6-518d-43fe-ba71-c2048775c850,"4/16/2021, 8:39:36.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8008 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a5728cc-6a1d-4642-ad4b-b85d4d165081,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3760 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,648b1811-b394-4fb9-aa1a-274fd44d372e,"4/16/2021, 8:39:36.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3ba74dcf-bd64-44ab-a800-408542ad6721,"4/16/2021, 8:39:36.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fa5a07aa-05ea-419c-853b-2a7be894a987,"4/16/2021, 8:39:36.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ef0f6f89-f32e-4140-b2cd-6a73027c0695,"4/16/2021, 8:39:36.414 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e406ec13-6c99-4021-a9eb-2a1b8cc5cf11,"4/16/2021, 8:39:36.414 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b1dcc37-9a03-46f4-91a8-32b995202c38,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 8116 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c82f703f-d410-4535-8369-ca8cc8621bb2,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b6afe19e-7a9c-4a08-9172-160a9da2af08,"4/16/2021, 8:39:52.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e18a124a-f78b-4636-b00f-822322ce734c,"4/16/2021, 8:39:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6d7dca8e-b908-4cbb-8453-34e1e2b8c12d,"4/16/2021, 8:39:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6bd1bcc7-392a-4839-9007-f89f8162f395,"4/16/2021, 8:39:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3a1e9d64-8230-4fef-ad60-74ee083cf96d,"4/16/2021, 8:39:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e33aad67-8993-43ab-8dc1-94b731c7d9f1,"4/16/2021, 8:39:52.741 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91ef9c3f-c980-4c4d-af1f-013aa7294e5e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e885968-5dc0-495c-9c63-453fcf720612,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f575e99-c9b1-4bbf-8b74-ddcc9890e718,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df0857a5-d2ef-41a5-a47f-47a79863d95c,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,666db14f-5a55-417f-b165-8ce776344d8d,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,850db5af-0cb0-4df8-bbe1-319d3c1bf152,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6aa195db-14dd-4349-85c3-3426d2d62ee2,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c7c34d3-62e5-4e8f-81a3-56d99f0a719e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dd956c1-8686-492c-bdfc-7b7cb9a1c5db,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d34754-6530-45ee-a485-7ca018ac75a0,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82211dad-9f7e-4206-a795-ef11e0c704dc,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f558c05c-3ffe-4c85-900d-dc0dac68f090,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eca0a065-5f51-4a1a-8365-e937c5f19672,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66668d01-e9ab-46de-9056-f644f5b16205,"4/16/2021, 8:39:57.624 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4736bdfc-2264-4920-975b-afb28d7bb0c4,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,042a1a9e-e045-493d-a2b4-28d926b9357b,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9803ba64-cd7a-469c-a5fe-ba6d9e36f2c0,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d682b74-2b50-453f-b932-48c3bc09634b,"4/16/2021, 8:39:57.624 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9f027a2-9e25-41aa-a7c4-efcf8ca6c5d3,"4/16/2021, 8:39:57.624 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,969a2018-70a2-4b47-9cd3-46bb76b1df30,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d0fb0e4-6f82-43dc-8a40-38849f3e5c16,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d476a522-fe92-469b-97c3-ac9ebbee2e6e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc3919e0-94a7-4af9-acaf-1bf580877834,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12687576-642c-4f4f-a33a-84a615304064,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5f6737e-24fd-4e14-9552-38a58b4f353e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dceae1ef-b2b2-4cca-935a-0a7013318d3c,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac2ea75b-9f56-4945-b81b-eae5f0584d18,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53658f30-8c04-4c44-a18c-e429862c4643,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53eb70ff-6a5c-4570-9410-278c5ba2f583,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1b08bb5-2553-49dd-979e-c2fb71c20a3e,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18c46e9f-800a-4963-91b0-c54257ecaff4,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fabbe414-faf1-409e-aac0-ba554a4af5b2,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a09cda4e-12db-46d1-ae03-176462087803,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6046ac8b-633e-420a-9d58-ede35f788a74,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7daeeeda-6ac4-4ff2-bf91-d0ab915aad66,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc11765d-149d-4eb6-9ada-c3b1631fbf13,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,162d6150-8c87-4b8f-b770-b801237581a4,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2aa50ee-9668-4f9c-8c6f-48866ccc2652,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebd9dedb-587a-43ee-807b-ee368f6c5121,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e9a900-671e-4083-b786-1f6c64c6514a,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a98ea804-4bcd-4742-98e5-847dc51d40e1,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc68de26-91c2-4c00-856f-395df88de7e8,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cad48c50-ab99-4168-b4ba-c85bba6e234f,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\SUPPORT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc4b1af4-2712-4c9b-bcd1-ef6f362bcf75,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58cd8a59-4a5c-4e0d-9022-3705275c6454,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c305d820-d605-42cf-b258-ecf5ffb4c78f,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d25afc-2b49-4261-865a-430259b22cf2,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61189f85-570d-42cd-b3e1-bcdbf55a5b0d,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7085d55-bc61-40ee-82da-47e1802fec07,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c9d7db7-6334-4767-8966-f8d937833adb,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6c083f5-b3ce-4d34-96a3-fcff433352cc,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6ac2044-dbcb-40e4-b7fc-4155d67a1b63,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b20d600-0413-4e66-9964-d1f48788c7a6,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ccd598f-9e4f-4c45-bb58-586a15773127,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1912898-df40-436e-ace1-16fc93bbf014,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16cdc4fb-3976-47b7-bd6c-7f38b642e2a9,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f086dc84-9b22-4ab4-9892-758e36f505b2,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05bded83-9589-4fda-9e6a-6c7bb3b589ef,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,079f966a-5f2c-401c-a02c-e33a0995bc20,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e5c2370-7369-4d72-a816-6a12006e663e,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e6fed5d-a5c6-4d4c-91ea-15b98dfb1298,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbe0cd6c-92af-406b-87d4-e27646bc5931,"4/16/2021, 8:40:06.597 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9971d951-ac3d-4be1-ab97-81478ed7f550,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,761f0c41-8ce6-4fad-8304-a28b487166ff,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc1921b0-fb39-4dce-8b53-a564b1f991a6,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bd42f4e-1558-4a34-a65e-cd808233ba50,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c325987-7f86-46bc-9011-8d22d531c4c5,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a42329ec-bde0-4714-8467-970b85946cf0,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,990deb34-2c75-4af4-8d10-2c59120f5b6d,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98a1e59e-f465-4cab-970f-2e7c20218153,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f3aba687-f525-46dd-8dec-971bf2ed7dde,"4/16/2021, 8:40:08.044 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f862773b-d78b-456b-92a0-b68b08d8183e,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0480b041-9551-4f75-8184-31a1b42c6e98,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,df5be273-7bca-447a-9c1c-8f57ed5acce1,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3ab4f58e-4e06-4a01-96d7-003c8199cd85,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,63b1a709-7839-4b63-b37a-38ebac88b22f,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ec7f09dd-b71d-4724-a6fa-29670b9da0c6,"4/16/2021, 8:40:08.044 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d201b7-f30c-4148-97c8-a6e626919b41,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2a71fcf-aa90-4a9e-b602-06335844ad4a,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c9bb65d-4052-48c3-aaa4-5b4420d43523,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,393b148e-892e-4ba4-b64a-fccc638d4601,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8363663b-5e28-4ab6-b2b4-991f39e5f78b,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74a039c-d9ac-47e4-a2bd-217bc40061e2,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\OBED,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9eaf5f55-d094-4d90-baff-8cdbb94de54d,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16a04fcc-bab2-44d1-81fe-a088c026a9f3,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f17f8297-0a9f-4215-b779-62387ec7dfb9,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae0c6d0b-ce84-418f-9602-9e4e0eae0ece,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1145af-3a97-4880-b905-e715015c7aa4,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5651319-0abb-4d71-ba27-f6f007e9b868,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,584720ef-2882-46af-bbde-0ecbbb7de743,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92c9c957-5a94-4ebf-add6-b202018a86b3,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,049a0319-0253-4ceb-b802-c502b6c21ccd,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a479eef-bfc7-4240-9e91-e4df72da6c77,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e4b8d46-732f-466a-ac20-31e595e71286,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a5ea970-7100-4a05-b0e9-37b1884b19f0,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e899e785-6f8f-4bef-95ab-f053e0545ebc,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97ee524-9861-433f-a8d7-3b98b2c61d41,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17b41576-f902-4da4-ba09-6391192a603e,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab508f56-c6ea-4b87-8d96-f33c703a5936,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0c657bc-6fd5-4c54-8f78-9eb73e94a984,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d4d9b5-8530-4b66-89f2-9aee0a319134,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f6ad56f-4f42-4eac-bf10-24c763bff3f1,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da918624-6663-4d8b-a769-a1e52cc81daf,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa711cf-293b-48ac-9b28-a354de6138c1,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a10e1055-bfd7-4a1b-9bc0-34dd26604817,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91bbfa52-1645-486f-8b70-352f4441b852,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4644076-6257-411c-94cf-49034decb74e,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24121b6e-8d64-45b3-86cb-8023c3f2ca76,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1156cbf-efef-47ee-9132-a4a98c0a1bb7,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53cf7ae0-6447-4a4f-b843-da0c8aeec3ee,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9468488-92a7-4b03-b5e2-00d471e62868,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c898cf8-87cb-4648-ac68-fa403900f57a,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee59232e-2301-4b03-867e-d2b3c24ec6da,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b80d4d6e-c928-4361-9c51-752b110d63ab,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad1ba8a2-60c9-4649-b5b5-a1456e82d73f,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,496531a5-543c-431d-b99f-eec3e914960e,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd382f20-0cba-4179-9ffc-cd6f029acc10,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acf5e53-5971-421b-a149-4d6b35faeba2,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b9029af-4e46-47e6-ac2f-bdb88b8fe8ce,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61c995e7-cc8e-4717-a9a3-581be440d3d3,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d56e40b8-18df-4333-9037-b8fa5cdd8847,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4c0e86c-0d15-4421-aecd-d3a9ae2cbb78,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3506560-2bb7-4d9f-9893-c611f24fcb0a,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2cb49527-cba9-4753-9354-47709c5d0771,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ef3adf-798e-46a1-bc28-adb8690aa4dc,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cadd1ca-00a7-46f5-92c6-42814d2ae9f4,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a817f93-f59d-4394-af21-0b944236e066,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee918c3e-f6ac-417b-94b4-9c2e5eae2aff,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40abfe43-7111-4f11-88f8-6095b9689327,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b83ec94-9f11-4e45-ba95-aed427897eeb,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9c5c95d-cd58-44ab-aa0f-f7bd90325651,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3695893-f069-409a-9c69-4b14af51c13f,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b0166d6-9d79-4753-aa3e-f522218ccfbe,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a82d16aa-c45c-4171-a5e4-6b70dea6beac,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee20edef-fd42-40a8-9e42-343217146318,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a37da45-8697-4565-937c-3d4cb9add005,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e35ff0ef-4f4b-4870-8d75-2e36a0623cab,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad9d0a2c-1eca-4cd3-a21c-d1adc5673712,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41dd4b4-f5d3-418b-8217-20debf509603,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e56a1ce7-dc4d-4899-9024-51a65f3bd1ee,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54201595-1d69-4105-ab2a-000ed394bfcc,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f63b78a-a8b9-4121-8211-7da11749fa5e,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc02605a-1ae4-4ced-9ac7-edef9a54b61b,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371d97d5-9ac6-4e7b-8e5c-e1498fdfc2ff,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ef7259a-5b6c-4be8-9ac3-fd138003f823,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b689f06f-7ce2-45b1-b32e-71a757ebfaec,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00e2636b-7ff2-46c5-995d-6733522a8ce9,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2de48b9b-8fe0-4132-837e-a959d1d31de7,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,1293d5bc-07ec-4374-8e19-d28da82e422f,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,387ed380-2397-456c-81f7-2ecd5f3383ba,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6173ce0-4f9c-4708-a9d6-2159b5e67618,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b75aa25a-b098-4368-bb9a-8d90feb651c3,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd3de3a2-a989-43ef-a826-a44d773db42e,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,26792edb-8102-4816-92bf-4dba4c8e8839,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae1ccc7-5808-4a5b-a6dd-8239730405a1,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,73ef023b-0642-43ab-88c7-8022b36ea1c9,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e956d3-9798-4c35-a325-f1e4429ec07e,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f5c023b-4030-4814-b535-753d1e0600d3,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43d16fa-d4f9-4d1e-9a04-ebbaff633c2a,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0f3ea2-3426-4a65-a809-bcb96056992e,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ea104be-f0df-4754-b390-45ed208c0129,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a99cb2-e7a2-4371-812d-879c3bf5b91b,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ff7002-c37f-4d99-a21a-ab664db46d2c,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3848957e-5559-4d9d-b8cf-dab07a4db0c4,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,470990ab-6250-433c-82dd-80ace40588d5,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,503ad8c5-ecaf-487e-8434-215d5bd9ad27,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7826bcc-9fe2-4627-9cd7-eb2de4db36b4,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca0ff4fe-7e9a-4a92-b71f-c3f5b5f93c4a,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c974e44e-926b-4bd2-a986-f0fe7e0b666f,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ad5c7e-7a96-4c7c-ac67-4f65fb94b86c,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d195515-c193-472e-86ff-3d865fc68c9c,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e1081a8-7935-4a01-9626-d184864f4fc4,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28a0dba-7444-4bc2-9b67-418d16e321f7,"4/16/2021, 8:47:20.117 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aa4bf8d-7161-41ae-8e5d-01f2ed737c04,"4/16/2021, 8:47:20.117 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8409f1d4-b731-4565-b7d1-acf889e60e19,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7296 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3b0ce8a-fc03-4020-8e25-9c88c8ad7da7,"4/16/2021, 8:47:20.117 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ff5ec9-3f9e-483a-a3c3-19fd105721e6,"4/16/2021, 8:47:20.117 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e1e358c-347e-4c86-bea5-b0bb363087d7,"4/16/2021, 8:53:29.590 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6540 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7707150a-179b-4e3e-8352-c27c8a05f786,"4/16/2021, 8:53:29.590 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f528149-4ab7-4745-9f00-307db53303fa,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a6e225-c754-440b-93e9-ad831313e33e,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ba509f6-403b-4af3-bdaf-df937f0c4b67,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b88c630-f25b-4d3e-8f17-2a3c54eed510,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64574b63-6a7b-4433-8fc4-34bd500222f7,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4773f382-5e9d-4969-bbb1-666f06312538,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d324182-775c-4aea-a9f3-b44c155d1f45,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,109becc6-4a58-4991-aabd-a4eed9baab34,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,247a528e-e173-4f06-a166-4962be54e9a1,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2344653e-b27a-46fd-b4db-71fc24f2de61,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13dd5486-12c9-47c3-8ee1-d92cd06880a7,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38d2c318-9cd1-4e91-aea2-084386c1bfa5,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ef99a8c-3671-4936-9a20-760bf120144d,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\SCANS3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf86dd86-a114-4478-b668-eb6ba90ea391,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47edc78f-6c12-4f7b-8514-85bc5f598ef1,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c15e861a-1cfb-4c9a-a0b3-7b9c756ba661,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,105cc94b-b373-4e5d-b649-bd2f43036229,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0519a7f6-d78f-4182-89bf-bff32bf31ce2,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a67725b-3d7a-4965-b6e7-8c982af402be,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b548e38-c1a9-44d4-b8dd-18ddaa60a62e,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47104012-e067-4e47-a432-1e890f59dd95,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5263fb93-3798-47bc-81fa-415ec5e00095,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d838da-5b7d-4b71-94ef-1f6386945a92,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3154dbc-1a2e-41d9-8cf9-13e56e23246d,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13968 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7f52aa0d-bcaf-413f-b240-a0ee13287ccb,"4/16/2021, 9:07:57.172 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,94e85259-5cb9-42be-a66a-70a2a6cf8b26,"4/16/2021, 9:07:57.172 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e658ed7-2110-48a8-915d-296295ee66fd,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfceabaf-0a27-43b3-8c83-fc2a2e14226b,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,453b123b-fb82-446a-8993-3e5c642fcb9e,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd63ef9f-cf10-4a51-8839-d57a87ad23be,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aac44d71-3ebb-46fd-8fd5-b277b2b09afd,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fad46d39-af77-4a21-942a-bf8d4790883a,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a237cab-ea1c-497b-a5ae-461fe81c9e69,"4/16/2021, 9:08:02.680 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1210b9c1-de02-41d5-8e95-56e07c7a64f6,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4558b9c-9862-4819-8f88-3ab858bafb62,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36cbee26-5216-44a3-a549-1ab2d89011e6,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11392a1c-c3a6-4037-ac53-4eff617e7baf,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b805d26-ff95-4ac8-9c26-6c9dac9340cb,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afe58ad4-4ae5-4a9a-905a-fb23482fbb17,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c97b7b9-5db6-4959-882f-87d7a2e96cda,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95edb4af-a65b-48a5-a5ff-7f2b57e1e567,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d158de3-d4a2-4182-97ee-373c94d62fd3,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f9d14c8-4b59-4d3a-9f0f-869b7c3f8169,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6e21dac-56c4-45de-8d6d-38d66a5076b7,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,338c4abd-140a-4ca5-969a-137fe1e4ee4d,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b45b60c-5b3b-4365-95ca-5610de4b1109,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73120bab-7251-4016-bdad-3b94428e60cd,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a72da889-070a-4e48-ab6f-32a92236a76b,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,899c3cd9-0836-429b-9b20-e4bae4142468,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6254ce54-a253-4a7e-a8f2-24207b391206,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,befaec83-29c6-4f2a-a35d-7233de19c75f,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c784a8de-5941-4aca-acee-4c244317bbbe,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d67c05-a35f-47cc-a496-fa4f01c9212b,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12de6b68-60a0-4339-8700-90b8d784f44f,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdfecdea-ca04-42a8-83ab-1f5e062603ac,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b5b3dab-d4a9-4a77-b2d1-678a44cad7c0,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03477680-ccc1-4746-8275-384df6ccc852,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a08500f-3199-4654-9dcb-acf9b9a912ce,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,379296ab-5eb8-4017-bded-cf88209ac975,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,456eafb6-5f5a-411b-b5a6-67927607ee45,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7998c160-4c64-4a17-808c-4b9799444236,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fbb9d1e-1065-45bf-b8f9-070ebc852105,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8949cb4-5e9d-408c-9cb7-af4735699716,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2048fb39-8f1b-478f-807b-0d0c9fe87e74,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2dde12c-a077-41ba-8c21-05e9a6545053,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85192d5a-1849-41c0-9c5a-11d25b874896,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d1d670e-266c-4806-ad64-eb82d5edbfb0,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8471fe3-2982-4cdc-a056-ce3f3efb7a5f,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,812f1906-0f79-442a-8f70-2c023f4c01e1,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67da6534-c728-4a75-91a8-ee59c0285341,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e2d1e54-ae51-46f7-b24d-bc15640993f9,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39472f72-831d-4240-b579-4aef6efe6047,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bebab64b-8264-4d14-a095-8b409bae171e,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c67e077e-2e0f-4e8d-86ef-9a0a4b3c8b1c,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,503eb8de-442c-4d53-b1d3-f038f62119ba,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3434ec46-6251-4f47-98bc-49205c629aad,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5d29e091-73d0-4014-88d3-0ae885f02f3b,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6188 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,47d26e5a-dd49-4fe3-b21c-ee534df9d46f,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4668 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c185740d-4cb0-4165-abf0-fda190076388,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,af614b74-4a4b-46e4-885f-2066e6e39764,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8bf62e80-d1ca-4d2f-aee7-c964904989ab,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6364 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f364954f-6ba8-4cc1-a13d-c8f680862ac7,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2108 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c3fd86a3-99f2-47c4-be2b-6e4f4a29be44,"4/16/2021, 9:08:07.877 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,19b5b1c4-cd37-46fd-89b4-01974653881f,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4cf53f4d-37d0-4ec6-a144-573439f8c649,"4/16/2021, 9:08:08.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,83a1ac2d-6c61-46e8-9287-be8b4fbc6a5f,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e8819b56-8f11-43ff-bc7a-db1648cb8a5e,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,572ccb40-f349-45c2-ac57-e4e700c532dd,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b999bc0a-13de-4134-af64-34a3aad31b49,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5039d724-c835-40ac-a68d-1e6adbf57b8c,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9a8c6dc3-9618-467d-9aca-87f451f631c4,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c440d6c9-e841-4695-9cb6-7502c4bcacbc,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d89e1d64-83df-49d0-b8aa-ed66e3a15576,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6d27e75c-68b4-498e-b8cc-e8f7a76ef2ab,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,88edb50f-e937-4c30-9fe7-0b63f8f1cbd8,"4/16/2021, 9:08:08.057 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,83d93b71-1839-4c5b-a98d-9e42b4e6aef2,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d1ce4d98-7618-4a10-95a3-c1828169d58b,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,02e630d5-2af2-459d-b088-9239ccbfde68,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,72888e1e-1482-4193-9b3e-6194c18f6ef1,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,22fca395-cbfa-4226-991f-efd72b067d5a,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4b1baa79-c278-4ff7-ac14-1826e6a1215f,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e4be814b-b02e-4840-a76e-07a0bc739af3,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,90ec083d-51af-40dc-a642-d3ceabad9caa,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ea4248b1-b389-48a2-8eb4-460138340fdf,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f7242424-417e-4f38-99f2-80ab21248828,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d1809390-7634-46ba-94ba-82c2c29ff717,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e4a838e4-a9bf-490d-9ffa-eb8e8055fc82,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,765a54dd-42a3-4912-b430-bf6e450b6e0c,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,26c2b291-e67b-4a02-b1eb-68c2f6642bb5,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d6f02ce6-193b-4942-9941-fce2a202929d,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3f08e3ce-9111-4d73-b21d-2d35d4874c5b,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a14c364c-6fa1-4d73-8e71-aec755e67de8,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,efd0f6e9-b74e-419d-9c9b-13df26d42f06,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,46822ec0-7d86-4df2-b02d-ec3412c5fa8a,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,32f3db91-a007-4e03-8f6c-e8850f0eb605,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,778c0550-092c-4ccf-b26d-b98659fe4316,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8d3d343f-07c4-4c49-877e-ad1bbace53ee,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f3f02e08-b615-4182-9a70-e05fae82a5f3,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,03a6a241-c5c6-4bca-9f80-91979658f467,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7120 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ebb78c11-d025-40ce-b218-f577bee1648e,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10888 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,07fb1ef7-7b02-49ad-baf4-4faa143841a8,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 12876 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,561c81d6-db91-4c66-90ee-95e2fcf85013,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b294c9dd-246b-4789-a4f2-667fba434dd6,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6c636f3e-518d-49aa-9013-3dee5a929f1c,"4/16/2021, 9:08:09.890 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ebc85c6b-9f58-47ec-9ccb-ffe5de0dc063,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bf88dbc3-a7ca-410e-8455-d1fc836f5158,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,124c9728-ae39-4b82-a455-6bee790ce201,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,155049a1-d1b1-4052-b02e-41633e959c5b,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6605cd27-2009-4d88-b0a0-95443bd6720e,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5436 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a9c6cdbb-fef9-4cfe-8b6e-d11f91cbcf37,"4/16/2021, 9:08:09.890 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39dab6fc-92cd-4130-8c53-b98b70cf2839,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c30ff5c3-61b1-4c10-afbd-6494834e6de3,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,364e9f3d-0bac-40d1-800b-48c3bf41015c,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a7c500b-0eb5-4719-a8de-90ba050e4f35,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74bd1a02-4618-4223-96a8-9575ee36619f,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,561e7b41-e9d0-4d42-ab91-51267bea5279,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f48bea9-0956-4360-a6e4-9637bfeb76c4,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20803eaa-5af3-41e0-96fa-e6d4ddcb8eb4,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f0eebc9-76df-496f-98ef-c70bcf4e63dc,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d516db3-af8c-4cd5-a4ce-e61b7d9ac325,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48a38a63-0080-4d18-8a32-06d26a788e09,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,532160fa-9ae7-4532-ae69-f3e6e264ce90,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f84d8a9-b53a-49ed-ba78-3375039ac451,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c7eceec-e509-46f8-b02c-db8f0fb0d88f,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb40236e-76e4-4edb-83a9-c781936b758d,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaec5677-037a-473c-9313-f92515c4964e,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af07ab6d-0316-4b62-b927-28ee605654c5,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,009d0c00-0419-4ad5-a7d9-062adeed046c,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddb4aec6-496e-4ddc-b01b-6249aaedef89,"4/16/2021, 9:08:11.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa0d64e-1b22-4939-b67e-4df500189dfe,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eee9e5b-fb6c-4aaa-a5dc-00a31b028b66,"4/16/2021, 9:08:11.119 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,e622aaf3-ed8f-49aa-b917-f1d3b319de8e,"4/16/2021, 9:08:11.119 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bc90b16-f878-493e-aacb-67498710bdb5,"4/16/2021, 9:08:11.119 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 112 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d1a21331-7e5d-4703-b906-624c2f49a723,"4/16/2021, 9:08:13.724 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9798646d-1046-4986-9459-a372efb3cea5,"4/16/2021, 9:08:16.817 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f16d37e-ea5f-494b-8331-0d4fba194161,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24342442-3eda-4f54-b8bd-d145e365c92e,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31c75b8b-5fff-4228-92a0-453ac2723f9c,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d58bd91-2edf-4774-840f-a0cbae85045e,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa975652-5a62-4e7d-bac7-e56b78d63751,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdc7c9d1-a259-4bad-9897-febe125d8c05,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36e695f8-0e69-49a1-93a6-d6e664384712,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a25188b6-2e76-417a-9e0e-77482cc89939,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c426c5d-cb33-4a48-8e79-113db34bfe22,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7855e420-43f6-48fa-b122-92a1f9fa9487,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e91d4e9b-9ca3-449a-a6b0-5ee9e76cebcf,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2e34ff3-71e8-464c-a7f0-afdc923ac113,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2603f93-a87d-4046-a189-5184643eca64,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,230c97c4-3088-4ccf-bdbb-d75cac8f8e96,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d98f62a-0a0a-4a9f-abc2-49b0523f478d,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8838f46-949e-490e-8db5-6cbe4ed54a21,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61412c5d-ba9c-4771-81ac-ab2c340e308f,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b4e9eb4-4336-4754-a540-9b210742133e,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d2ef6ed-1b42-4b0f-a58f-c99a0154ce5a,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c4a928c-e5e8-46e3-93ad-a21d8ad598e2,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4941ac3e-ef5d-4b7a-a03c-2436aa718159,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12b0d5ef-440b-4dae-a58b-714281f89257,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7144 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29855d97-dde8-4c3c-9cc0-f216e2946356,"4/16/2021, 9:08:20.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8532 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e0d1d1a-512c-4f73-ab6e-2ba180ea1b79,"4/16/2021, 9:08:20.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efe6e5d-81d0-4dc0-a105-0ba3458ebf1f,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,733b3076-e634-428c-8239-d544fa125b88,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df97dc14-355e-4580-968a-1d10b6f317ef,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd7efdda-b155-4daa-996a-b28395ec9658,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bb3e655-1c59-4c40-b73c-da0c124373f9,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc351fd3-bfee-4dc6-ae51-c028b7caf0d3,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,17641a83-87d3-4c7e-99fc-cacedcc63b32,"4/16/2021, 9:08:20.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8808f5d-848d-4e03-9b12-45df86093996,"4/16/2021, 9:08:20.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e69420fe-77fe-414c-a2ad-9d375bcbd59a,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,211a55ea-40c3-4ff8-b99f-3e2234560ad7,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11d166b-2493-4740-b633-ee91f0f6311d,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fad6bab6-9a3b-4f64-8797-65e875e6a8b1,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31afc0f2-b046-44d4-bc5c-05624e8581cb,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5b0097c-d931-49a1-b9de-7058c10ec3a5,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc81608c-4011-48ab-a98e-e41a9e6f2b65,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2426ad-73d5-4480-a60c-16b6e9d86084,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8465d825-b9be-4a75-b91a-7dcef1c73294,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760c255e-c8f1-42de-a702-81a021e67367,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54de491d-043a-4e35-976b-0bbc8b2f25ec,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18cd00e6-af82-4545-8b49-3ab3450f9dae,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18286d0-7610-44d1-95c8-582235de4cc2,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a166e6-b82a-4f5c-9d4a-ac28874a80a1,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3000a9b4-821c-40ac-8826-30c2cfb2bc0d,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4ad2221-6289-46c3-a605-a170cac27996,"4/16/2021, 9:08:20.123 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,806ecd95-889c-46c3-8de8-4b738577d9d8,"4/16/2021, 9:08:20.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,901f7556-b235-4634-8733-eb91aec3a837,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,205e73a8-a869-45f7-b539-6e8f0b7ae128,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbf84c80-c39d-4c21-b743-6e30fb1c9489,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7276 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bbfd25d-9548-4800-b974-e376f2f91323,"4/16/2021, 9:08:20.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31143e5-d804-47d5-bce3-edb18d98cd2c,"4/16/2021, 9:08:20.123 AM",,,,,,, +\USER1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f4cbb1-0a37-4d9f-8205-8c15eb5de9ff,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f1a628-15a7-4b25-86b9-4e57cbabb50a,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,250f85c1-e742-4153-a4e3-09d43e505228,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e0af898-9c7f-47ef-9ebf-72686af9ed67,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9799b69e-25fc-42d6-ab42-f62d47390d27,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8199cb29-68e2-4b32-a048-6d2645e7cadb,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b74da50-3277-4a20-9ba4-0e2cfcfd6d57,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e99b43-5330-4318-976f-d2e6702b1525,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa62f887-59ad-41af-b6f1-30483cb4e21a,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d989a0a-4942-42b2-95bd-535bfc6fb444,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e11ff93-0a4e-4442-80e6-34384c363f7c,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1012e212-e518-4984-8acf-c4a25f78dc96,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\SCAN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d735d6ce-bcf0-427f-a0a6-5d797fa471ab,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2242866a-d210-4073-aa84-e9628df8235e,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b5374c6-7390-45cc-a438-4037e02c60b8,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c46d26d2-e98b-42d7-bbb1-fde88d8b3edc,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ead59eb-7d18-4c63-8fac-121c2685a8b1,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a25db62a-dca6-46cf-a6bc-a7a7d02a9d4d,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cea871a-4df7-4253-a77e-ca13e04f0362,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\DYA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfd0f055-5b0e-4e65-bbef-3fd87e5898f8,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb1e7325-86ac-4ada-b74e-f5b0dfd31e3f,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20fe5cbb-b953-4e03-848a-2cfe0ef2adb1,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf851a0-627f-4bbe-a50d-b1bcc7a1efd4,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22396021-cad6-45df-b4c0-f6d2f075c65c,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89704baf-d19a-4a9e-a76e-d71a8164406b,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER3,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cbddd6b4-08a2-4daa-beb8-f0d09283c8e1,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdc38998-8d53-44a1-a07c-f9f8d3128aaa,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\TEMP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38c7cd5b-f1d6-4cc7-9bd2-f75b94732e42,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26814506-8dab-4253-8057-d45cfead38f0,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,73398171-db49-4522-997f-d968757752f9,"4/16/2021, 9:08:27.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,279cb46f-39ce-4005-9ae5-d0143c000fbd,"4/16/2021, 9:08:27.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7868 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8fd6b6ec-73d3-40db-aaa3-d4ada26f7f1d,"4/16/2021, 9:08:27.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc3a5103-0b1d-48c0-8377-d481f3aa9a90,"4/16/2021, 9:08:27.410 AM",,,,,,, +\SALES,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d64d41d0-2a1f-46cb-b201-840f11d0af6c,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c0a2105-776c-446e-ba35-208d35b6ef83,"4/16/2021, 9:08:27.410 AM",,,,,,, +\A,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,34f852c6-5f6f-4a54-b2a0-f80f7e77a778,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdcbf364-1b36-4060-a5fc-a85bcdfa8fd9,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4fcdfae-6753-42bf-b74e-98ca00ce990c,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76bfbe62-8b69-43ca-80ac-a6db5daea306,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fd6bac2-05e1-4a83-a440-7aced4544830,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e0fc871-42b8-4cf1-8359-8017aa267cf9,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6952398-2ab1-441f-8055-4287037cc9ea,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0068506c-a229-47b0-b037-23902475f0cc,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f0c5bfd-2275-46cc-b64a-ccd0ed14c7b6,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23874e96-6e64-4ab7-8d9d-337bd437b62a,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f42948b8-55e9-48f7-bdbd-0be259e67e9f,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7c52097-e2a9-405d-b5ad-1f94b74c4820,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b6fd35f-0e21-404c-b25a-22b1e5523405,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,024a3b53-e613-41df-8bb7-ff213eb49a5c,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba51882-67ef-493a-bcba-397133bcc2fd,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7baf3c25-3a54-42d0-b342-0731dafae107,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5bfb3e12-77a4-43e0-963f-fba0d38cd463,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38ec428c-725d-4b96-845e-a2eb97b7d530,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a39d4b9-8bbb-46fe-9f51-12b37efa78a8,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7960716-23d1-4675-9722-ece6969119ff,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d98b065-2d86-4647-a1ed-0102d0ac431d,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcf3a5dc-741d-4b61-9e6e-e8280fa7615e,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,659d78b5-7089-4b80-b6eb-9b4f6ccede9e,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,def84706-ce62-458d-8a01-da00631a3d9d,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bee009d8-e734-41fe-818e-6e9f139066db,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02c5d7f8-ce17-4fba-9e23-b77817ca67ce,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f39f9cd-a183-47e2-8a46-a4dc741ee646,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3fc50d-2593-4a0c-aa42-7a2c9cb974ad,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7842d31-d2a8-42c3-a38a-4236c7ff148f,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,398b9303-fa60-4bc0-a795-07a6df90d7e3,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed984ea6-abb1-43d4-bf15-44c5d517e5b4,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e39688b-3397-441d-9e46-4bb7ab5ee34d,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d6d5b8f-47bc-40b0-8603-6e3cd2f82d20,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05c4ebfd-8d35-41e0-ab99-7f3648938c0d,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a43a948-c88e-452d-9f4a-7e3bf066817b,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d176d90a-c76b-4ce0-b4a6-2b57652a82d4,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8182b79d-f327-48d8-a9b9-5b63827b4299,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f2e14a6-f24d-4260-9fe9-ef6aca75aa12,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75395e45-1940-42c4-a100-79bad742fa76,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16879dc4-07ad-4515-95b3-36866b026ee1,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1918391-3e4e-4e30-9e84-15cc62030ea9,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,68c60e4b-3b2e-4bfd-a3fb-72a766c03402,"4/16/2021, 9:08:34.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2412430c-96c2-41ed-aeb6-a8a7a225e9e6,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6689bf20-1ebd-4798-ad34-9fcdbf40a73a,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19584800-5a0e-4690-a881-07ba654dc67e,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dff075c7-01b5-4722-916e-06cc9e8059ca,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,effe7105-62a8-4939-8c9c-c90f58f8c6ee,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fb10e84-8b29-4233-a10a-0ea32692e34f,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d542722f-7060-459e-945e-210b54dee7e4,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19ddadd1-9bb2-4898-8a74-1242c1494ac8,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,813ea1ce-c553-4b5d-8501-c1cf501a4dc4,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137295d8-adf0-43bc-b434-c230ee3fbcb2,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,127fca4f-ece2-4d48-9e1f-baf4a8c931df,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34262af9-e8a7-4df6-9fba-5809426b6dd1,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03353d20-5738-4ba5-a5d2-42b440edd642,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,377c103d-1b7f-4fdd-8f04-a160d58512c8,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60dbb361-f77e-4438-b3c2-b72716b03db6,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b281af7b-77f4-43ba-a719-4c028234362e,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e592e02-c0c9-4bbb-8007-dc566057d677,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48947b1c-4422-4414-843e-2a29553eeef7,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49fb19b3-2431-415c-9dd5-e5386f230b27,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61473c6b-724f-43db-95ff-bacdc9521a45,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f6ba20-f55a-4476-afb0-28f179d54960,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce55ad2b-5677-448b-9199-eeb3d1cab529,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16a6bbc0-b179-410b-98f1-c7df78e1e603,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352409d8-d372-4a59-8980-1ed23602118d,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d55533b9-2042-4467-9f1d-216eb7abae4b,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd321297-13c4-4214-a681-e9346b915f00,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4666206-1353-4f19-b911-2fe3b4fbf9ba,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b79c22b-32a4-49eb-aee6-c88fa4ced42f,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ca3d21c-edec-457c-8adb-6e0d159908b6,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80062b5a-795f-4b3c-aea7-dde10c7a59a2,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad805f93-8590-4d3d-b2c1-c5b801ccf22a,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7064adc3-0b6a-4c28-baf9-6e135d907293,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dc57de2-a202-43d7-8bfc-168581572096,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,45a13561-337a-40ec-a8f8-7523afa15375,"4/16/2021, 9:08:44.865 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6678810-ab5b-4ab0-8b2b-65379c28a5da,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15ad07a9-720a-4041-9572-7489baf21b37,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,496d3017-e024-4fea-8e18-783de7edf850,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d64b5f5-1e0c-46da-a4e7-8db2af4d02c4,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30d95043-4c53-40cc-b29c-1319a61f3810,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f438498-f72e-4519-9e56-1e36f0c3e0d6,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,402a5c95-17b6-43e1-b1e6-a29340c4111b,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d9d9050-4069-4ff9-b244-36349b4a8a7f,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,091bb075-e9e5-4c45-9a39-566cc2170445,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2ea004f-fd85-477d-ae3a-1e678d9da0d7,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6c057c8-97e5-438b-bc9f-a483a2df8d4b,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecd1d26b-4dc6-48c2-8ade-876aa498499a,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdd5e88f-ff0b-41b0-b4ca-1d1d50e4130b,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65472be2-1046-41c7-8926-da92ac7631e5,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90d9c482-49f0-4b0d-b824-ec604e538943,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3583493-bfa2-401c-872d-785fa825d4ef,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72b0461f-a6d8-4235-b459-67c2181ecb53,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6964002-9cee-4657-8238-327378133157,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bb0a14e-60d3-4be6-a7ea-e4aaf56dede6,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00a94c95-83a7-4ab8-8064-1cb6cf90a686,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,512fb32b-8467-4dfd-850f-1fdd87e62400,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26257724-32e1-42c3-aefa-c35a5a978404,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad933e7a-16d7-42af-accc-5a546822c890,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,955b1b90-199d-4c09-97ab-56b2f5c4e463,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41d5434-7552-408a-b4ee-8ad7b96ab487,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5c4c97b-c444-42b7-a1f6-d468f72aaaaa,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1beb5b9d-83e1-4b70-a2c3-f58c1aeddc45,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5eb6dd7-b18a-4bc3-8400-2b30f2589e1f,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bdaccc1-a828-4845-94f6-e069a24bd584,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24cb45e9-a2e9-48d4-b59d-401246a659c5,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db64a2dc-7953-4247-b0b3-1b35cde36450,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,def25773-5f99-4a48-bfea-c114fc6667e1,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15114b41-a6d2-4c52-ad21-afd990107e2e,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e76be4ca-b2a9-4441-a068-043cf89647eb,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ab9ee1-19a6-466d-8bb4-2684977fe594,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ca25906-e1a3-437e-a5ef-5f7461c8bb0b,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5423c03-77b9-49db-9875-0b47cc7a1eb4,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,125e4872-b325-45b3-9ef6-2b1b1f7d661b,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc6005bf-3bea-43bd-a8e2-6aa293a1bc3d,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1003171e-f735-4fc3-bc67-3eb8fc4ddf15,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6299f63-f4bc-4d88-998f-850be5f54f95,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bca77a24-e22f-4892-86e5-6269c39de333,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1deeaf5-497a-4e13-ae89-628b54f7dfb3,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7900497-33e2-4c42-9088-af7545f648bc,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,aaf224ca-de38-4bfe-8f38-460775b97295,"4/16/2021, 9:08:51.613 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f6abb16f-8cb0-4557-8c47-d642b0bb1d00,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10936 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,18f98072-ad20-4d0f-be85-fed5da8b8ad3,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,30cbd196-5f2c-4842-87d7-ee4d42ce624e,"4/16/2021, 9:08:51.613 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ada4c104-132e-40cc-9c60-4225645dac01,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8764 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,37510603-db9f-4c14-8170-2e11801d0440,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7080 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,086555c6-e32e-45f8-aee9-f142d8427fa1,"4/16/2021, 9:08:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6476 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e3a14638-9c02-4905-bb04-6e5191265990,"4/16/2021, 9:08:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a92ac037-bdf9-47e5-ba63-3b8e1a403365,"4/16/2021, 9:08:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1cf4a5d2-9a8d-4631-9e46-73617168d9a4,"4/16/2021, 9:08:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0aab661c-6822-4f20-9533-62b2d80958a3,"4/16/2021, 9:08:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,556be887-1516-4b2e-974e-78d0147fe9a3,"4/16/2021, 9:08:52.733 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b84efdc-51c2-49dd-aec1-18010604bbac,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b424415-c05a-4024-8f25-ab3d4ee5b1fb,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de665c54-aa2d-43cf-8951-2f3348c3ae2d,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,637cdad8-a080-45ee-a3f8-c26269992756,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c07df4e-3145-441d-8da2-996ef0e18f0f,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3244af8c-a9b0-4292-8b4a-582f6ad08357,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bf1a78b-ae4a-4993-9f1a-ac609933c559,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99adbee6-8409-4f2b-b183-79a12b2fb726,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67916ccb-89a8-4e67-85f6-1fdcf85c0411,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4817bc59-6af9-40d9-8283-4d50c84cf156,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f253c6b-d24e-4fc4-967e-66cb7d557565,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ea9e2fb-d6f6-4ef8-b1ee-b132dc3974be,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79503f00-9fcc-4619-a029-5a925573e896,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d0bafe1-f149-47d5-aa22-d375ae7c6b01,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cf3e166-a39c-4ec1-b82d-ff9e71dcd872,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e852e4-c172-467d-8c10-86c36bfc8c0f,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47e0c392-7db5-4bc2-ab03-086b22f269df,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16936d79-208a-46f2-86fd-7fce2eb8309a,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbecb84-0992-46a0-800e-9888adb3530a,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a662db5-779d-42f6-bb49-7bd27f05e2b2,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5889ad89-4940-4ef2-884e-334d05e65d47,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f70431c-991d-4630-9d17-18cfecb9127a,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcfe822c-65c9-40db-8bef-063ce7df8b76,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,929ab71c-527d-4d20-976c-99369017bc77,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c1b3fc-1d8f-43ca-8f9f-b1d054f74d03,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,46790abf-41c0-47d1-aacd-00dea72aa62f,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6d7ad0b4-948a-45df-b46e-3445a4b0cc9d,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12144 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-06_211148\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-06_211148\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1f7b8f80-da95-4c8c-a4f0-083d5308e5f6,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a339f012-8c4e-492c-91cd-1c49d53ed7a4,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6880 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-06_211148\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-06_211148\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,371e694f-8f35-40a8-be58-19455f0c239e,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9004 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2914be43-7428-4497-987a-95a50f95c527,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4496 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,54baf6c4-7935-4c88-943b-30cb530edd70,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1243ec3a-3acc-47c2-9ac5-b071dc7bb91d,"4/16/2021, 9:08:57.026 AM",,,,,,, +\PRINTER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,124c65b4-961c-438d-8070-57847f52d7f4,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\USER01,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71f45bc4-4a52-4819-bd65-15f72c0df7cc,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38dca0f6-d7fb-4f47-9c38-efc632c89fdc,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\TESTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6648e422-1639-4fea-a065-fe978e4290e5,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\SCAN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c79983e3-b3c5-4db6-a456-e1fb34bd9956,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,704d4e68-1683-4290-bdd1-21b6405edb69,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b66dc819-f3d0-4a71-a0e7-5cdba3b40c27,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2aa0478f-1439-4641-99aa-7e8ce1ed750f,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6981e1e-ee2d-45a7-84cb-15ceaa86edc2,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,085c7b39-41e9-4066-84be-ddbb3909530b,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4117c968-f8b5-43f0-b790-fc29f10a3069,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5527047-b5af-4414-a533-946293bc1d98,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef78942-2220-4513-9889-bce731cae0ac,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e1fadd-1d6f-421f-adc4-9e90ce264bd4,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc443373-9339-495e-8c08-2fca86021531,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,097b8eea-6b53-480b-9947-9519db92af74,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ae815a-b043-4b2a-8da2-458b0df63444,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c4a485a-90d6-469a-9ad5-29339f7e2266,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec7d5b6-849d-401f-ab63-767515585f8e,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9d717fd-2145-4b0d-bfd9-03d1bf3735d7,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ec4ea1a-810a-4a07-9e28-2e02b7a1ad47,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32ba3a67-a225-41b5-80ae-734574e32c40,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eb694f4-2887-42e8-a436-a56d349fc12a,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,797440e5-ddbc-4330-9690-de1fc6081615,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1a8c047-45f7-469c-ac8f-0b8a67225aed,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10c6fad1-475d-4f8c-ab7a-2d44fb3bb3f0,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a88b59e6-3a74-42df-84ed-ea5f21431772,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f09fe8e-f771-4221-abba-c1d4a29d55e6,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee659ba-32b6-4b17-95d2-780fd7e3a1ff,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95f88e10-db3d-44f9-8081-20be109fd24e,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d42f1aa-f22f-4eda-9181-475096db6a04,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80d2ed0c-b8c5-4602-8f3c-1b205f41f654,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32e15fc-a535-4682-a7d6-2dc78c0cd406,"4/16/2021, 9:09:08.123 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6760a33-3d0d-43f0-8e5b-d99e77772f20,"4/16/2021, 9:09:08.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4db17c56-63c4-4377-9ee6-9bc71583ed7b,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4640 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba9791f-290e-4d0e-892e-0b12d8a5cf63,"4/16/2021, 9:09:08.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7652 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,da9deded-3998-4f27-92f2-216a5c8eb923,"4/16/2021, 9:09:08.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25c5ea41-1a3a-4bed-9fcf-a949f9914182,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecad7140-db54-4a79-8b7e-d95d7b6df50c,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd03dae1-221f-4ea3-a4fe-6e37851e8615,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd2eeb77-b9a5-41d3-a341-023ce282eec5,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f23afe6-8653-4592-8c29-3eca1282dd24,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,170474b6-5798-4701-8aee-4b40eefcfee2,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa5f3f6-c04b-439f-bb64-0fd1d091250a,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38613b64-5953-40d8-9573-6e770e5c5b85,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2a4bf8d-111a-48f0-a422-2e9e56d7520d,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b103d4e4-d6ad-4077-9dfd-a0142020f667,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12986321-d753-4b58-b941-612d9b976601,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f86f96d-f469-4422-b862-5e8a25ea9d25,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4bdb40-9b22-42f5-b210-713df6a6493a,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d107222c-85b6-4ca3-aa23-54fc5792696d,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84bc20d4-f0c0-4f17-bb07-1f95eb7afa82,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c731518-6188-4054-9f8b-9d097d6e5842,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c019912d-0686-4d21-8089-3f28ed41f936,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1b27709-4b45-400a-9c18-a779994a098b,"4/16/2021, 9:09:09.871 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,85e22bcc-3803-47c6-bff5-8d5536b07ee8,"4/16/2021, 9:09:09.871 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4844 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f88052c8-f8d9-4512-8d1f-d4650b5c02e6,"4/16/2021, 9:09:09.871 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6800 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,78e23aeb-9ab5-4cd9-b24c-984b429c616a,"4/16/2021, 9:09:09.871 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d925f8a-be27-4348-8a55-43722a4aab13,"4/16/2021, 9:09:09.871 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5465e912-82b0-49eb-bb70-5a67e8a3366c,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70a74113-b12c-446d-b336-36c276af0332,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a550224-e9b7-428a-9801-cf5abf83e4b3,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1c515cf-4ca0-4925-87b8-a58a1eaaccfd,"4/16/2021, 9:09:13.694 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5093243c-d8dd-4c8a-8ff4-8b44ee823a8d,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7c69976-ee69-4f4d-a779-25431d4e054d,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa8e925e-82f3-4a78-a7e7-90ec124e9432,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f295f42-01fb-44e6-a9d9-9f4aefbd6307,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ae261a6-fb2f-4350-b40f-97d3ede959a0,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,698eb8c5-fd43-4cfa-8639-155046ade525,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d1e941b-483b-4396-b828-8bdbd3e51383,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\GIULIA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ce5e76a-ff82-4f26-aadb-f7cc3a6a33e3,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8b3cc8a-9386-46f1-a597-be8c9bbbfb8c,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f92fa863-2a73-4919-bc25-a343f440da5f,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44b479a2-b186-4bb7-8e6d-817622e6ec61,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,933356c4-897b-42e7-9441-242dace891d5,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0593cca-3136-4281-a45f-cdede231c766,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1eee3f9b-ef3a-405d-abcc-a3a7c1b8b5d5,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12a4e69c-b02c-49ac-9478-62802dcc81dd,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7403d0d9-7150-4e6a-8fd1-7990b2a09dbd,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\WOUTERMB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9335b2f8-92e2-4f76-80c9-116f76bbee15,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0e14777-c848-4089-9358-2b409b389b4f,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5f77c23-3075-4ced-a1d2-1c937165fe16,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7243eacc-1578-4358-bf42-b60a03cdce11,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48c49f41-d01a-45db-aa46-5cce2ee15d77,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8f6dbc8-bc82-40e3-8d98-ed9a0f3276b1,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,327d73d7-2b36-45ad-977b-efadac948b8d,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98deaed6-1f34-4f91-b70a-db579a4714ba,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a49c18ce-4073-438c-afca-0bd58f4ab078,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5005c40-b124-4010-93da-7fdc39d97ad4,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,915337fd-f23d-4e6f-8d2f-70cae9eca017,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79b39dd3-bea4-4844-905f-831a42cbc373,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0baae95-7362-4343-8030-cd1907b41aa0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a43c852-2e80-4ef7-9eb6-ea7c70efbf20,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bce9cde5-e0fd-471c-b102-d2d2b82555a0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3508a4f4-0321-4398-9fd6-b5aa8ed0ae37,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1d55391-f4af-4cd0-86e4-2747fde62e5f,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b796d4b-8fc9-4672-9f62-865f588283da,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d5ae89d-426c-403f-9116-444ea59080f0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\PDV2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c52d17c0-e88f-4958-a1e2-eec8354d370c,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\OVB,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8515140-2324-4df0-9158-f324ebdc1a1d,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a74fb0e5-bf74-4433-9b86-3cf2b9df5906,"4/16/2021, 9:09:21.200 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,77545c1f-2dd1-4954-9c02-3208704a2256,"4/16/2021, 9:09:21.200 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7916 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7405d45-09d6-4d96-b718-fc28e7ef2a34,"4/16/2021, 9:09:21.200 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8088 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d79a74b-dd9b-4329-adc2-31e42771c8fe,"4/16/2021, 9:09:21.200 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f963a8-0707-405c-b721-308a560588bc,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7d28b38-7ac0-4ec6-90cd-51cdc47dbbd0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,26740993-f5b2-4f52-ab3e-8b18c6c4b4ca,"4/16/2021, 9:09:22.922 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3499cb87-b1a4-4c0e-98ab-9a0bd640137d,"4/16/2021, 9:09:22.922 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8664 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 4907DF27D7E70A824E8BD9BCDF3B222C3D8FB687A9986541432520AE204173FE + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1049 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fe013890-f351-4a2b-a911-e7e1a13a63b5,"4/16/2021, 9:09:22.922 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8023b4bd-873b-4aa7-9daa-4fa8fa8608c9,"4/16/2021, 9:09:22.922 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,7ba092cc-cb99-4c32-b02d-0147b0f76d59,"4/16/2021, 9:09:22.922 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9388da18-e632-4878-a494-d5042820e8c0,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3ccc2f9e-901c-444e-a664-4a89bee77946,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,7a54320b-986e-471f-90c9-d9804f9976ce,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,40f6512c-5ccf-488e-bec9-a9b6b024eeac,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bdf36b90-8922-45ec-a62f-6e6536332ac6,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b7440f16-ea56-430b-8e75-1e109a2f4c27,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,73bb3a20-6f6a-43cf-97e1-5f5a49c6d567,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,73d00ab4-7bb8-43e4-b0ed-4e032d2d2166,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86f058c3-1aa8-49d2-9341-7614f98e485c,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,614632e8-29ee-4d0b-bf0c-9cd1194e5838,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,748929e3-af92-4ef2-817e-41d682664bc1,"4/16/2021, 9:09:16.057 AM",,,,,,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,236bd32f-6746-408c-91d5-a2c02f58cffc,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbab48c3-f536-4939-8a49-5c76c1c89533,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\SCPAB,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a393463f-9df8-4437-bd0c-0e3eabf74674,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cd8f203-3333-4964-a1ba-238957647123,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14ef0be9-0b38-49fd-be86-d92a7b6b616e,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d1bf35-3e4e-406d-a6ad-33b78aaba89b,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51159fa-2b42-4b4e-ae5f-2d2d4ba91363,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,449520d2-fbe7-47e4-b229-e5b3fc23db1c,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3db6e4b-da60-48d0-992e-b1efda5ef385,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f15abac6-7aea-419e-b9aa-55eb20804fc9,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2c6099-abe6-40ca-95e1-8a9c264aa922,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33380a2-71f4-45ff-9a3a-999898896cbd,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de852f71-a4bb-4cba-a520-722784f08d27,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31aff50e-342d-46a6-ae70-4c33a6fcdd2c,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f706d7d-cad8-4a7d-9667-b78a254c028a,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed7322b-0842-4f6f-acfd-5c0dd259f132,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af27c2c3-8a64-4039-a781-8ef1b75fa793,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef84a24f-c49f-40fd-a751-f76a6541c46c,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,625e704a-c141-4d74-ac87-8c66470ddf64,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22f385e6-22a9-4e27-87c4-965a8b60267e,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfc8a16d-40b3-4239-aa3c-90888dff68ad,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c555b3b-1539-455d-b999-252ddff830d6,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eefc7d6d-23b9-40ce-be31-da720f54d96b,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6474b4a8-87ea-4725-a47c-440a83a28ec7,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3938df-ce6d-4fca-ba82-5ec27d92c8d7,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f7528b-7f2e-4176-b3a4-0a2948dbce94,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f7fbc0fa-1196-4218-8b92-214bba20a9fd,"4/16/2021, 9:09:26.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,86ded7b6-3c0a-4dc5-8d7f-cf76eabe5c05,"4/16/2021, 9:09:26.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10272 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0940bb81-5679-48cb-943f-4ecbddbfbe3e,"4/16/2021, 9:09:26.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,051b3e50-de05-4e1c-bece-a2e2b9888122,"4/16/2021, 9:09:26.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7397c434-d13b-46d7-9233-139fa583d410,"4/16/2021, 9:09:26.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8768 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b05a7fcd-3e5b-4b0a-aad6-a875868d5ef9,"4/16/2021, 9:09:26.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a0274af-5bd2-4803-9823-394442b52463,"4/16/2021, 9:09:26.601 AM",,,,,,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8927cef6-e5e4-4df0-b7cb-2e32e54464fa,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0be71b1c-c6bb-48e3-9f84-9395b96362e0,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b4de4c9-16b5-4d34-ad9f-469d1b4c4e75,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d72bd684-c237-416c-97da-b91bc5b245cd,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9144ebda-319c-4cd5-a3b9-dad3428e7053,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57824eec-20d3-4817-be8d-2daffa3170a5,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0a1b53-ed0c-49fc-a801-9b8e079c5d39,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08c69e72-c0fa-476d-8efd-ea492f3651a1,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da9d820e-3d2d-429e-9248-7ce08fce6b3b,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1593d3f2-229e-4f12-871f-21369c183593,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a4dc3f1-cc4e-4b56-b709-250f962178e6,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bd5be68-2079-49c6-b5e3-cf75be55b81a,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89c3b7df-af3c-4333-9603-4c7f961cac01,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3279a8bb-8d78-4181-b578-5079806f1088,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dabc315-1695-4cf8-b599-bf2c09990abd,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8ac5623-2cdf-4b79-90b0-3f08009eb203,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,271d25f6-caa6-485b-aa09-75e10b1b9549,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfeb172e-3ac4-4d88-8ca4-8a99d82286a5,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac569f43-ed5e-4db0-a1c6-d2b8d0e21e9c,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f74a83-81d3-4cf5-ac87-36d6c898522b,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5055caf7-6c46-4972-a4dd-19d78c6fc210,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0994aa8f-a0c3-468e-bab4-1f66b8cb9c45,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaf6718a-76f0-4f54-9f28-03b932cbb6b6,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8110a1b6-cbfb-471c-a7a9-515c2c18f94f,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3daadbe-08a2-464b-9243-73ee70853485,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,395c4490-46b8-4487-8268-ed5b3aa98383,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed75549b-028d-4de2-a7e6-fa0d09b77295,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a6f9601-90e6-43ff-b097-ae0dc5a8b94f,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6989f9f5-ddac-42f9-bbcb-6780505e5931,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c21573a-a5f5-43bd-85ab-e063b4ba43af,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3637fab-36ec-48bf-94ad-9916bd5d0223,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,910f86a5-40bd-4065-9d9a-c660b583d6be,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdb6d351-2997-47a5-9048-6a7b1622a0d5,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,187a2cd9-8284-4047-a0af-18f15bd64481,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3dc788d-5dc2-4cd2-a74e-772d34fa0b70,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bb23f94-9ddc-4e83-a1cf-9b0bf53a535a,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57431f6d-1f66-4619-b2ad-5ab59ce80010,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bd760e5-7235-4f84-aa94-bb322fa80820,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,346c0a07-031d-4a8c-911f-c80c3b04f622,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,817da80f-b39b-4a9f-8553-c365b3a58788,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4622b32-0f39-4a35-98e7-7f492cecaad7,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f3c49f5-0d3a-4dc7-b7e2-19dcb4a7d7c7,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af6d74e4-c191-4021-968c-386c9790bb32,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c80f0dee-8ff9-4351-90c1-131738396c82,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4d27329-2e0c-442b-9a47-80ca92649b73,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5a5b9a2-53db-4157-95e1-12b8cad3b4eb,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11afac53-424c-4f40-9160-4f8d55d4493e,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea536b57-8430-4edf-ba41-be967e12a64f,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85157ea8-b5a5-4dae-a76f-40ed6cf02e4f,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,ec76b516-5a86-4755-b114-dabf069225da,"4/16/2021, 9:09:35.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c486eb9-22c9-450a-91ef-d24719cf5c48,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea428951-ab6d-448c-ae87-4894c29006f7,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a89184b3-8012-44c3-a6a2-27cbc205d487,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,889462ce-a5c0-48b2-ba78-09c1d33196ee,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aa2a9bd-a032-4a9b-b838-817a746c45c5,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b1b6b2b-1813-434e-8c78-3a41e0e77b2f,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f939fcdb-900f-44ff-b813-0350f7ce16a3,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56837e03-bc22-4b49-8dd5-350b101445ee,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e5c8f8-c619-4306-9779-e045b46df46a,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88bd71dd-ced7-4262-9f08-7b11c835111b,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7dac572-d608-46d6-8eb0-9763c5462092,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7ebf244-82ca-4eea-9165-d1632486bb1a,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b8896b-6cbd-4901-99d3-425b50296b80,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,123dc9c5-c64d-4a35-9a5f-0abedeb8c5a2,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e70881fa-548d-4c91-af0f-5cb71770e6ef,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 2600 + 2021-04-14T04:56:12.746425400Z + Microsoft Software Key Storage Provider + UNKNOWN + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\954e38042ca68b27d4d706c2e7747a10_212bc69c-5ce6-4002-a8fa-f266ac5ca24a + %%2458 + 0x0 +",5058,5058 - Key file operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,84af09ec-8809-457d-8a45-7f172ffa4e48,"4/16/2021, 9:09:35.119 AM",,,,,,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d736fb-1ad0-461d-82ad-2532eec9964e,"4/16/2021, 9:09:35.119 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 2600 + 2021-04-14T04:56:12.746425400Z + Microsoft Software Key Storage Provider + RSA + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4885420-faee-4b1a-88f6-955413342bd1,"4/16/2021, 9:09:35.119 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 2600 + 2021-04-14T04:56:12.746425400Z + Microsoft Software Key Storage Provider + RSA + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e638cff-7ad6-42c7-8182-2791d0334e08,"4/16/2021, 9:09:35.119 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8697878-3aea-48a1-9abb-b6087e6ae7b7,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3208b1de-058d-4f1e-9de9-59fd6ba0b45e,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1519c6c0-cd98-4a52-8d38-9f9314316d9d,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26f9ef31-f0d0-48dd-a2b6-fa5f7b978232,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1105dccd-93c1-4c77-9f0e-eab81cb06a60,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73c789a8-6165-4f6b-b66c-e359869b543a,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\WP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d532c9fe-b6cc-46c4-8fdd-e52f63d9a121,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb251c4-2f8b-4399-98da-9c8a33fbb12f,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b0a2353-dd1b-4f65-84fd-cefdc8f77bf5,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d98cd935-6000-4656-9e3d-01747fca2cd5,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e97197fc-6680-41b3-a464-af2a86dfecbf,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,764cac8c-8b6d-4e62-9595-57fe76f52a6b,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efba0126-940d-49d8-b212-b4f0a2249313,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd5b0c20-72f2-432d-ab6f-773e149ac714,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1ce66ef-9267-4231-8dcf-b48c0e944035,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfb34dce-ee4c-4ef0-aec6-c67fee8bc3c6,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17c51901-e01e-4ff3-ad9a-5adcebe14bfe,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,148d526e-64ff-4fbf-a6c3-2c70c07d4ea8,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd7f360a-506e-4dae-b519-12aac5d2427e,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\MIRIAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80918000-8312-4eab-b38f-a332512cd9f9,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10951ede-0891-4a39-827f-4904b3c2ae1f,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abdab6c3-0298-41a1-b3d1-1db67716a06e,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d02becb0-baba-47f9-a1e5-e0da749a64ad,"4/16/2021, 9:09:49.618 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,30044390-987e-49fa-85ff-24769e8e6e55,"4/16/2021, 9:09:49.618 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4120d8a-3b9c-4071-97c1-9f43d59c0577,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba1a31ab-8ac0-453d-a051-1b9b60292a1f,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9119170-5ba7-4604-844e-08854099d190,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e5f48d1-0ac4-4f00-a635-3c461077d6e9,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc602452-de7f-4c6d-bd91-80521894f60e,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6848b5d-574a-4e24-95a6-12d98484fcc0,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c6e3bba-93b3-41b7-a7d4-12e7a8a7c9ce,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d317f45e-0977-47e7-b2a0-d146a0e36139,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29233fed-9748-4f63-b2a9-be13232dcc28,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a12904d-1f14-462a-a484-d8d9a1c61d51,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f13f16-162a-491e-ab5a-694dbff0c4d8,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83ed9530-8dee-40cf-b41a-f53ea3a7e510,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2627cba3-3928-4ab8-a964-f8039d03853c,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18ea71c-b1b4-454e-b5bf-897527518293,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28b2807-7f50-4f9a-8ce3-d1b55c1efa9f,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b432ddb1-f02c-4c35-98c0-b5c3f362d97c,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07732e1d-8e40-4248-b9b3-b84643888250,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23840ba2-0112-4aa6-abf0-d6f49cbcdd3a,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efc19973-0667-4a92-b04a-542a354d403e,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1064a13a-3685-4fd6-9df3-1c7e24a097a3,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56720401-4c2b-4862-9633-3f3f77745850,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bfdd3e6-4e0e-48cc-8e65-50b80c731c1a,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31e17304-21cb-4ad3-8dc2-94498e3ff227,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2132 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6eba195c-5851-46ff-8ab4-38f11b690206,"4/16/2021, 9:09:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cedb88f8-2c84-47f6-a4ab-18326f4e1a2a,"4/16/2021, 9:09:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1bc5db37-6372-4fe8-a753-2fd6f294cea7,"4/16/2021, 9:09:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5ed82079-215d-4c9c-bdd4-1ed6ea4f16a6,"4/16/2021, 9:09:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4e0c7011-3e83-47c1-9f3f-eb8a3c0d6ba6,"4/16/2021, 9:09:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cbd39433-99b2-478c-9118-902da4d37e59,"4/16/2021, 9:09:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,045eb0c0-f1ef-41a2-a283-e8858827ae44,"4/16/2021, 9:09:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6772 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,290c14ca-5b16-4cf5-9122-3b1a45aeda70,"4/16/2021, 9:09:52.738 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3ea1432b-ef98-4eff-a871-eb96163105cb,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,df4ac5ac-fec0-48bd-9531-9152c127907f,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b0ccb9d9-43d5-435c-9118-47dffda1dbcb,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,000a41ae-b1f0-4818-836a-63019f0f0da8,"4/16/2021, 9:09:53.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3aaab76b-f279-4573-af2a-6c4c814d5fdf,"4/16/2021, 9:09:53.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,57e6b768-bb39-43d0-b7f8-774af54149a5,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1b11e0a4-5bce-49fe-93ba-b2efcfeb72d0,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ac0bacf-59a0-4ca5-895d-d08486090019,"4/16/2021, 9:09:53.061 AM",,,,,,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d87c13be-9213-4c7c-aabc-d48bb2c142d5,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dcb8e33-f106-47b1-86dd-57ede299e921,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46e39b3f-b739-4662-b055-495e34e0f17c,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c138ba6d-f62f-42f2-811b-98d0aa79a64d,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,529f090a-1725-41e8-8670-7089c78c3218,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44230092-09f8-4c28-b664-976cc8855c2b,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfed3c6d-c48a-405f-9e1b-f6857a3a723c,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44842ff4-4b64-4db5-8fd2-3c32958c24b1,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22577885-6cd3-4847-8979-3698aa27f501,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e34d85a-a2e3-4e36-96c9-1e19f227243d,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37009a38-4eca-4e30-af96-99c7f6094c35,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0c822c8-c5e6-4e77-89ad-560424f310e1,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fec5f467-be2e-4c93-9ee8-48c6915b672f,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccb3f135-e7ba-4a38-8b88-55f88e9f5347,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffd950ab-68a7-40b0-b4d5-3e0c002ca657,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91dd9e08-f502-4c19-bc85-efe8210018a5,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d73d963a-d794-44ae-94e3-05ca1236a49a,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71eab432-8e5c-4281-91a2-c3886196539b,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6529b7cb-8dd2-4052-b1bf-62931127552e,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,227986c5-f3e9-4c7f-a1fb-6075dadc9af3,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf06a18-bfa7-4ee0-813c-94f221d71f25,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a617a519-da88-4943-b1b6-bcb0c5f886fb,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efa181b4-d94c-492d-98d2-5ebef06538c9,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af88e610-4859-4049-b583-0d5a54e9433e,"4/16/2021, 9:09:53.688 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e4820cc-0246-44e2-a836-5c4ff45202ff,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,27c63913-7ee9-4e96-a3bb-8dcc0b90f186,"4/16/2021, 9:10:06.593 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6080 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,54bc2894-6890-4cec-ae5c-1a8c9294b711,"4/16/2021, 9:10:06.593 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9608 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,140a426b-1eba-4918-98d1-c1c5dd349c0c,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e20c609f-adf5-41b4-a654-8de79292ff85,"4/16/2021, 9:10:06.593 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6252 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,887945e5-edb7-4680-a00b-95ba272f5aed,"4/16/2021, 9:10:06.593 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,1918cbe7-7319-40e9-8fb8-f2f9d7114467,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,51d067a8-075e-43e5-b93b-4c41cfd1f6bd,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,b1344fc5-bc62-4e2c-a8c7-2efa8c51f03b,"4/16/2021, 9:10:06.593 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x417171d + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,0b918d74-77a3-4f3e-9613-59e1cb322eda,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,52a206a9-8415-4174-895c-898ccbc85c8f,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,3bb23178-67e5-4678-ab28-30cc1f3af142,"4/16/2021, 9:10:06.593 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95db58d9-d9d8-4fde-8c2f-fea128977616,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +\TRAINING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,956a7286-1041-48b2-9f63-f9435a9ae5aa,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6064 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b63ae41-b794-4ef1-8a2d-e2be8b4f5d4b,"4/16/2021, 9:10:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,335bcf2e-99ff-426c-9d17-dce41b454b03,"4/16/2021, 9:10:05.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c2dc237-c902-4dfc-b618-4e1a91d49a1b,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +\INFO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a7791c91-87ee-4b39-bceb-80ec90197621,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +\USUARIO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e07627bd-eb0a-423d-94cd-ebdd9b99651c,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7136 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b0404085-45df-4b4f-a28f-e5dcfa61e88f,"4/16/2021, 9:10:05.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6544 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b3ec4c48-4d06-4e09-8dbe-155f1e3c461c,"4/16/2021, 9:10:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,59104820-24a7-4212-8e9a-beb46df1803e,"4/16/2021, 9:10:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5eab9086-5cd7-4026-aed6-3560f3e89d78,"4/16/2021, 9:10:05.411 AM",,,,,,, +\TESTTEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2e44533-76fc-45dd-aa58-babd469e3d38,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12936 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,41e5198b-bd08-4434-b761-8b1ceab08ea8,"4/16/2021, 9:09:57.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,0e39e2cd-729a-432f-8f4b-89678a8572f9,"4/16/2021, 9:09:57.002 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,31137f5f-836d-4629-a3b4-4686ef0061d1,"4/16/2021, 9:09:58.868 AM","%%5649 ",0x2,-,-,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e1817b9-fc15-4bba-a369-8ecf2af57962,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1837b223-df89-46a1-8cff-4175b1691b82,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97b2a9e-6eaf-45d3-8a20-e6b5bb4ed276,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d67e1a92-59f2-44a0-bab3-2a5bb47f6955,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,779b89bc-8fe5-46c9-8cc4-581653f3090c,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22aefa64-9cb5-4e92-8d23-4506dcaae976,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e04f3c84-2857-4609-a1d2-fad8ca9e0ec0,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb935acd-99fa-4fcc-b41d-866ffdee8107,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e058fb9-4970-4b35-a86f-28ef1e7ce52a,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3537dbbc-0143-44e9-acf6-ed91ef315d36,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca64b2e-c687-4630-b077-cb03cd4e4422,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c677ea-0071-4b80-b4f4-e14575f24954,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8f3edd6-8e5e-4f00-a3da-ec1365cb32a3,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ee9d5da-81a1-43ce-9306-e76d13e9b46b,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43df7332-0e0c-46cc-8baa-a245d0fe45ee,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a371cb2-6ca2-4fc7-b020-1d626f800a5b,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a9b5442-36c7-47f8-832a-0e28a84e89c8,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3f501d8-b991-4a9c-a4b4-c55594f7fc06,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add6c815-d57c-4976-9273-2e3b4aaef45d,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e4e8d82-b50f-45fa-9dca-70f2f5a3f3fe,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f9ef84a-aaa1-4d00-bda5-b0182c182aab,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,958609c7-03d6-49d0-aec4-55c5943a9826,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2de6f469-9218-4a29-a424-6a19a13f9e2f,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,410838e8-a58c-4c6c-938d-48c486ef3f98,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\CONTADOR1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9311c312-378a-47b6-9719-78990cc6e8e6,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f79e0b8f-3961-407e-8ab3-2e6bb25eadb4,"4/16/2021, 9:10:04.697 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50c938df-0bdb-40e7-b468-1345e21432dd,"4/16/2021, 9:10:04.697 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2e92a9e-6bac-43e1-949a-35c16eb95ee6,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8b07f8b-d0f5-4111-8a24-423d80eeb1d9,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69143d5c-2a3b-4feb-80b5-0bd14d0d8c85,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fa4e91a-1c6b-4771-870a-6cbe821b034c,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,309f06ec-19c1-4e09-94df-6c1f9c77923f,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,320b12f2-c139-44b6-a7a1-9a58eb725514,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d936541e-e3d0-4e43-b58f-21fabfc4e1ea,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b26fa52e-9666-4910-bffe-b11bc75e569b,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9ff542f-10a8-41fe-9347-6b6830e9552c,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b3d2150-8885-494e-a8fc-bd2415ac6eb4,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9b4e2c1-ad83-4c12-aa69-8bf7f2116b1e,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,292f8c8d-bd2e-44de-b26f-f0f3d425473f,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59b8277b-26fe-4731-b778-0e7a514ce78b,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30e6f88a-caac-41f1-b764-7d8afad0afba,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0427addc-ce12-4779-873a-a9fdff854984,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,128c0b63-2738-4a48-8fcc-fccee4ffc662,"4/16/2021, 9:10:04.697 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c2158cc-6f34-4b9e-9811-71fdb20ad23c,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f3f83b6-a5f7-41c5-adab-42d95b8265d2,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0cf9b2f-41c6-4cac-8805-e9c9301d528b,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a1985a-3b37-47aa-8e78-cdf40064bcec,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,153a14ec-e218-452c-a61f-1d20260d6935,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0368717f-5f88-48ca-874b-6e652b0ab538,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a76492e6-a969-4876-908c-42abf0856273,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7049147a-f1c0-406a-a016-c48390b508f8,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b9b5eac-67aa-4eec-b387-facc2c6ae0c2,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf9c298c-c4bd-411d-903d-51630020bef6,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f327611-5ff7-4de9-b512-4fd0bd09ddf6,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,858e8cbe-bc86-409c-a49b-ebf0cfc554b7,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aaa7f82-31aa-421f-b74b-74d7de99ef2b,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc7df14e-dca6-43da-a05f-d28de016059d,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9501179f-6386-4c02-9faa-a8005f058495,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcb58264-4c10-42a5-8e27-1c1ff0878328,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c91cd8d3-98bf-4588-a439-e48e2ce8255e,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f96a1b21-7547-4c00-9822-9f66c74d333f,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95718e5a-7164-4b02-b053-17be96cae4bd,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,090f5691-39d0-47bd-81db-cff85a38d3ec,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d64b528-cf4a-4412-86e3-8e7ea8ba0e71,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,017a73b8-307d-44f7-b073-521e081ad0dc,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,458d1ffe-98f6-4d0a-8155-3cc1166c323d,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,258c6008-9cc8-4eee-b40f-6fde9941850a,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff18893b-ef4b-49ae-9e58-34b6935b8f1f,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5935933b-9dc1-4199-bfad-de22cde97ba2,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,343bd848-3d89-4ea9-90de-e47abed63a1f,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eebf2224-3a3e-4a7f-a59f-b49336b61d9d,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5724617d-70ea-455f-9b37-bddef245bb75,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,883838b5-8feb-4254-883d-a930af564fb4,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8fc3dd8-de29-4fa3-b08e-a897aaf60ccc,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3d01d94-58a9-43ea-a1c3-89feff01dd76,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dff58e0c-3f0f-4910-9f2e-253ed464ff30,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb5adb2-89cf-426c-92e4-d0608917ad2b,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54522ae9-c8ec-4829-a612-60e25b60fb5c,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f110a1-72a2-494c-bd81-1e419b642527,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2760665-444b-4392-87a4-2499d4161d81,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27e87c96-0ed0-421a-9221-4db5e3d8e667,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972d5ef0-5f2d-4ea5-b198-e583ee2aad37,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09f908fe-202a-4d3b-9706-df3c770f564c,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81452705-15c4-4205-9058-4e87971d5899,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a68ea8d-f348-403d-878c-60448e87aaa0,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3de45a4e-c63e-47bf-8795-bc33b068035c,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e535f09d-a746-4b37-8cba-859215fea4b2,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1116712-0b61-43c8-ac2c-af3fcb97b8cd,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73903fe-dc50-4473-bb90-ebc142747e7f,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04951bdf-b5be-499a-98b4-2c788e6af487,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d227981-f9e1-4941-a945-f3d2d90425fc,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbd3b44f-1767-419b-b279-489bab0ce070,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4af37a60-6286-45c7-b3c3-278fac1e91ef,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceaaa80a-4c8e-4857-a997-858889d4f5d8,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe46408f-327d-4d48-9338-c3a21d8a931a,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d90109-2174-47a4-8d58-a21643b88c25,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feebb97b-6a17-4867-872e-c5f973b54fe5,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fed3ca47-44b8-4d84-9d8a-29ee9bfd9c45,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8d876a-4c73-417a-b626-deb83be654eb,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34a427fe-5e8e-4261-a269-85efd31de7a7,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59379b97-6ba1-4065-9ddc-1623524c033b,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c07db06-553b-4f61-beb7-686774f058bc,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa0c72f8-6d92-4462-a2f2-c4e960f70645,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c98249c-81c9-491c-a92b-d54db3d65af2,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c455543-1c84-41cc-909b-4570ccbd5f77,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,497a8c5d-5e93-4bdb-8f20-0e5861bbeb8c,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74fff5bc-ab71-4aa9-a261-18a79fbb516c,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bee92464-5371-4084-9ece-9e6b62e287e8,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd100f27-0a9e-407e-8648-7b2ebe5054a2,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054eb2e3-438d-4dae-a269-799a87bf80f3,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5dd8785-3140-4cdc-b23b-45b087887485,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7534f553-b34c-4f90-bc94-bf2a5c4522e3,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc265815-5f5c-48ef-9ba0-fe2fcd6bb238,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11a32b4-d86f-418d-860c-af8f93fc39a6,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6b33ed-1bac-40fc-add7-177a5608a4ac,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccc29cf7-ac72-4f7a-bc47-4c3e01361b32,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a314a84-be36-4e5b-bb8b-b7285b493ba8,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,830b940c-176e-45f3-b399-6f6b2fa3ff45,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e735ed1-d4ee-4851-9ac4-3c348c2c57b6,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c51422e9-e94d-4d50-a7e1-12ac58e3c80d,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,518d7d0e-53f3-49f2-902d-c182cce068ec,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96d1e4e7-026c-46e3-b957-81ab9e1de32b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7fdb130-c70f-4b10-9d63-ea1a33df5fdb,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,123cbbab-377f-4f14-a0b9-9f2e51648699,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cccf26d-2452-4317-b6c0-dc819a87ce07,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a2c6a1a-c996-4406-b011-7cbcb2d2e31e,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6fc2f43-f41a-42b6-a49c-8282222453e6,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b222bbd9-a4ec-4ba2-9a27-7f235b5df943,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb2bb3e8-1fa6-4ef2-9d65-77e0b32de9fa,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0b6d762-cb45-4c52-b3e5-2a97cd72021b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fab1f73-579e-4eac-b226-f991e5869fd8,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4df43622-d3cf-44fb-b9b0-d1d33bd0b4ff,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22e30fdc-9b94-4fc1-80b2-4e83e2da9ac3,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e6ae82e-9e51-471c-9663-3c6b864bba7b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd139057-8b77-49c6-aef9-dbc161e6da4b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65b5352f-cfa6-4569-a5f9-cd9d4577b5db,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5704a270-7b26-4139-aa58-abf9bdaae772,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3483378b-71cd-425f-9659-fb9554de456d,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb9330e6-6dfe-4a95-ae2b-bdfd8058e55d,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a470377-0e55-48c4-acba-89b91da9559b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b6635d-cb2a-4af2-95d9-a20f8c9edf74,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5001e40-e972-4829-b1f6-615956a7d8ec,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8753f63e-5bee-4692-bd22-bed2218439ef,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a252cf-0f81-4d6e-8418-bbe0a076fbc8,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2140715-f71f-4540-b67c-a3c7d903eee6,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26a5beac-3f57-4397-9f02-bc86a67ded80,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,278d22aa-228d-4852-a909-a41e9ffbbac5,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c10b394b-c889-479d-b194-c839124fde1b,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa5a503-098d-4a5b-8da2-744ec2be3711,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,108a9825-dc50-4e1f-85f8-ca65362a1b32,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2846524a-2ba9-48d6-85a6-d20f96692f05,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd6f472d-3ebf-446c-b648-0e3c83d3e9b3,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b839abe-1ae7-40dd-a8ed-f3226dac2a05,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26d0cfe1-c275-421d-8c50-631181ba2522,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169a01a9-888a-47bc-84e0-dc5dd8bf149c,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a17e972d-619c-4519-ab12-697538cf530e,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe75046e-416c-49d0-a9b1-43585b630de0,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4d7c687-d437-426d-840e-1cc01ffddb4e,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e67a54a-cb87-483e-9572-e15b9f32e07d,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\CRESCO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9967d7-576c-4c2b-a69a-5f69dd6bb4ae,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,663444a4-9fc0-4b63-8c37-1ebf28d68d64,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ec4d6f0-7253-4001-9e6d-eaa6a4c78835,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a51607ca-ade0-4074-9ccc-588d1f6ad6f5,"4/16/2021, 9:10:31.868 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,03c08628-90ca-47b7-9bbb-a818d30b4a20,"4/16/2021, 9:10:31.868 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24194fcd + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,91a3ed7c-9cf2-4686-b356-28af2f78df4c,"4/16/2021, 9:10:31.868 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2d519224-df42-4785-b0a8-5084cf2ecdc4,"4/16/2021, 9:10:31.868 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,19457f78-e470-475c-aa8c-8ce38a7bc3d4,"4/16/2021, 9:10:31.868 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,3087b6ba-34f2-4bc7-ac89-46011ffb35be,"4/16/2021, 9:10:31.868 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,97aaf097-77f6-416a-8eb6-c3bd6750b462,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6880 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4e962ed8-77d3-452c-9be6-10e7d8b801b4,"4/16/2021, 9:10:36.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f2bf5664-313f-4b59-a57f-8ac3090067f4,"4/16/2021, 9:10:36.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b26ed9fd-1d13-4372-9706-8a77be400001,"4/16/2021, 9:10:36.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0bc4001a-e3b7-472d-8654-e8ecf2d62587,"4/16/2021, 9:10:36.412 AM",,,,,,, +\XEROX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,df1b7c9a-61e3-4c2c-8b93-2815c5da98ea,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3431a6b2-4cce-443f-a10a-fdd6c43d3d38,"4/16/2021, 9:10:36.412 AM",,,,,,, +\OFFICE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2cd75eff-d781-420d-a02b-a0d02895c413,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,17b4136b-fc9a-491d-9139-8b256318ce18,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6f1dac72-c973-4091-b203-aa719ddf1de5,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,14a2af0a-99f0-48e8-894c-92f537e856cc,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff4d488e-6f45-4fdb-b493-df8ac11cb3e8,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51e23edb-5a0b-4cb3-9e63-9a779876d79d,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3053d3f6-a5f5-422c-8705-cb824757359b,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,77e08b18-7a80-4e44-899c-5c2f368b08eb,"4/16/2021, 9:10:39.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9972842-ef12-45e3-bb9b-44a3bd0b7091,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8316d931-c907-4642-a34a-33db5cc89868,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b19d1d3f-f47d-440a-ba74-5cedff02a5e7,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea1afb7a-74a9-4e5d-8b76-b5067252adc6,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12420d84-0609-4b12-b203-333c9a47267a,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a3c9c28-fd43-4f78-9271-d3baa277f2ee,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22859bc7-89cc-4e20-8bc1-aa0ea1feb932,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba2a43af-23fc-4392-8417-a514c3e78c1c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8cc1f7-4a30-4624-9776-55ce07a69326,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6282e926-e6a9-465e-9855-2956e5a5812c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9765b48c-4649-4cb9-ab46-3617d42d53d2,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f6acce7-f300-4006-a849-a040b1f32ed8,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af9bfe18-099e-47e7-b4c7-94e90bc4226c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,608697d3-5c31-4228-b061-f9e5a47b1b96,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f123916c-e1f0-4d67-bc05-7348e08c5b7c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f66e5c3-2486-422c-9b38-1fbd54a8ce0a,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af45919-e667-4db4-b942-49b7c8dd46e6,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,088babc2-09e0-413f-baf7-005df04fa060,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,728a6a68-c2a0-4fdd-b663-a7411dda0022,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,844dbe86-635a-444d-9e71-8cdf3eb834fd,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be10ca0d-8ac3-432e-b517-aa8d506758dc,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fde8aef-411e-428d-bc85-6b1641310bd6,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,566287e1-0e21-4ee2-a980-3884fd9d2e15,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81eef13c-db0c-4967-9477-817984538b79,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4735ded1-b1a9-495b-98ea-c2383d64af78,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f88fbee-539b-4c40-9dfe-a7fb0a8ac710,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9244c70b-8de5-4cb4-99b2-34586425aeec,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a79ca40-f2c5-4670-a5b9-2c0a1c68817a,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39bcdae6-d063-4061-904b-524dddd6ff8f,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbbf73f2-4dcc-4b3a-8f75-8b4d0da1d10d,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,840c2778-42e3-4c37-86ef-bb7671e545c2,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\DONB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24e9c20b-f397-4f48-b86f-dd9697563b2d,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97fffbf0-38e1-4b58-a461-9e35aa146646,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\ABCD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,835dae7e-74ad-44d0-8e2b-7588b489aa8e,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,316020a8-fcd1-4666-abb3-b571b0110759,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fc6ed69-623a-4785-93ad-ad96246d237c,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a913dcf8-908f-4565-b314-9f02f0d01391,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1bbbdbc-aefd-413a-beb2-7a6c93817a8a,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0aeba048-21f3-46ad-b69a-ab3a05566669,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25e96de2-e336-4bee-ad84-cdcf40bfe879,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e55e9c15-2a68-46ce-87a2-c485e82acbff,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be6ab541-feaf-4caf-a7c5-c3d69b86be42,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e373a57-f7cb-49b6-8bc4-c9fdf3b467e9,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8e7c341-263b-45e9-b4c5-9bd9af0cd8e4,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bae5060-2461-4ee1-b278-ff8ccdf8a1e9,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba71c848-d90b-4507-a3a4-517de30e92e6,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 9384 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,576b88d7-667c-4131-8752-e02b53b1f728,"4/16/2021, 9:10:43.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e52b97d1-d1cb-492c-9ded-c8793d923c53,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7004 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,120e00f7-ef7a-4ff6-abd8-9bf1a02e07ad,"4/16/2021, 9:10:43.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9ec93b70-50dd-4504-9bb6-a6553e928e56,"4/16/2021, 9:10:43.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4cb86af0-80d3-4d01-8676-1f9f56a417a9,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,44e2c77a-5e87-4c23-a8ea-b083ae562a53,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f4ee3329-3ef6-4e24-85c6-85a3f886eb79,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,30544896-33da-4647-a513-9f2e6749c0d9,"4/16/2021, 9:10:50.289 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8212 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c09f0739-b08f-49f6-b864-1c167e925993,"4/16/2021, 9:10:50.289 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,872f7df6-9d54-4d7d-a3c6-e10aa615afcf,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fc56b65-aaed-44f1-92a4-7e416c4eee9d,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,991e2f31-f4f1-49b7-ab85-bfa3ceacedb4,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c987b08b-b2a8-4dfe-a5b5-2aa185f343dd,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c194b937-1d2c-4d01-9bc4-190f62e15bbf,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,608f03f4-e539-4188-8eb9-8f8a75fa6ad8,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385ee6cc-31ad-4f2b-ba75-6bf79496313a,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,798e2fba-0492-4842-a7e0-a969e83b0937,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c199f77c-77f2-470e-9f9c-f36cbe3553f1,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba0ca421-5f28-4c56-b2aa-06f2d4247ea4,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f06197e-21d3-4ddd-b53e-690932cc156f,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec2aa99-d3ff-45d4-9dfe-f585d2bafd59,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adfa01cf-a0ba-4aea-808f-3f51598b1d80,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a2b8e2-50b1-4768-bb83-cd5af23c3ccc,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,461731a2-c614-4059-ba41-f6ff3e16152e,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef0175a1-6e5c-4a60-8cae-14a37588fde6,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae0bdad-a289-4a9b-bc1e-2d2dbd14a8bd,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fef1bdc-fd66-46a4-8d8d-a954d4f1a489,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cddee46-de0d-42ce-879e-8aa5c643e362,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb53ee8d-1baa-484f-8a55-8474d9047810,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daaeb663-371e-41e6-b40e-07b7f5f7c345,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef1b5807-91f4-491e-a26b-4a4efeea0b11,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd7fb416-88d8-4a7c-b55c-bdc7e54d64e5,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53423e25-66c0-493d-9fbd-03882b0d3265,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ff61e9-b303-494c-bb26-83a85622f26d,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0d0ec920-fa76-4643-8bdd-7591519a2d52,"4/16/2021, 9:10:52.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e049efd0-2a9b-47b5-a69f-5b0615ee7ec9,"4/16/2021, 9:10:52.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5132 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dd38168a-11f7-4f8b-9b02-5379afc9eacf,"4/16/2021, 9:10:52.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cc60a56c-2446-485d-99f7-04e5227a2f40,"4/16/2021, 9:10:52.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3566f69d-6c6f-4a66-842a-c5b8b84ecbf2,"4/16/2021, 9:10:52.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bfe27a65-017f-4c67-aeb1-d014d9e1e41e,"4/16/2021, 9:10:52.731 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74eab10-29c0-424e-a2ff-f3f717ac6b8f,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae568764-90c7-4598-8e64-6755a4f1b3ca,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f53c46d1-803d-4124-b49b-0c665e392a96,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38047bc-7b18-42b5-a5d2-59cbe1136cfe,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a102422-fa04-42ca-8b71-c9d1cdc92c64,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7510cd91-67b4-471b-87c1-9f0d1fd9026d,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c00ab6f-f2d8-4273-8933-f8b511bd72ca,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9676c39b-609d-47f4-bda2-1bd0fdb91570,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f9be47-9191-4f0a-bb27-477e58711983,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6634b38-88df-470d-938e-afab6937c1f8,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdcd6cbe-89f0-42f5-ac79-b01f44d73590,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5618b154-498e-428a-8a6f-886497e1e4f8,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2829a7e-849d-4b46-9f04-f720c9a007d4,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12845014-84c9-44c1-8dcf-84418428add3,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,438cbcd1-f68b-428e-98c3-d1748c457f59,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f903ce5-51c8-4894-8e36-8fa050d97f42,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4d63638-2944-4c57-af97-373d79ce8433,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4fba65c-b054-4204-878d-fff498442102,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385da942-c94e-4675-ac7b-b25134961ee9,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71dc152a-522f-4533-9e0d-6a1002c163a7,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2353a27a-014b-440f-828d-e2192dce7654,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ab75562-6c68-4d38-bb45-69ed37c385e1,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcc117bb-a9a6-46e3-9ce5-e1d28bd86dfd,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19cc69ea-1e79-4aa5-b4f6-e045cbebe395,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c630c736-05a7-4157-ab6b-f81bafa431f3,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,686c4154-3acd-4956-8f40-8a85c760c1e0,"4/16/2021, 9:11:03.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2d0ffb5f-4686-4d35-aa28-b62671355304,"4/16/2021, 9:11:03.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fce49ce6-f7e9-47e8-b5d9-bd4a9d81fb6b,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fd8ee710-e5c9-40b9-b2ea-610326e38d9b,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42d46dea-d2b8-4be9-8814-abe7d2cd492b,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c9441bb2-1d67-44ba-b48d-f70e739f9a84,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,08c46872-c59a-4636-a20d-746dff049920,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7bf41a9f-54d7-49b8-b3e6-cbb78a4fa99e,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,10923e31-d135-4554-b7cc-0c70d3d3120f,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5e282987-d322-45d8-8cda-08d1a09d0d03,"4/16/2021, 9:11:03.060 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,968075d2-1239-4ef1-8879-5b8422d69fd0,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed7e5860-da80-42a7-a114-dede2323322d,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61bb9d4f-6267-4087-91d6-e57672e63a65,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0e357e6-f3f4-4b87-aaa2-e2e76d8bc66d,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d88d26c-1f97-44b9-900a-7437732e197f,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d455e7d6-d80d-49d8-b1cf-dd10b6feac6c,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24acbb3c-b690-4fdf-839f-2fc89e94ea13,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4563b27d-bcd7-4623-81af-ed56117e5914,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be4b709a-f9a5-4db7-ada3-90487657abd1,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,329ba780-545d-46f4-a2f5-fd5f1f1eb852,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29f07283-2e9c-434f-8b0d-b9049b1bb62d,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b304cba-ea48-47db-bcd6-a0f88a50d083,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ca657cb-930e-4203-9b91-5c9ea13b6364,"4/16/2021, 9:11:00.724 AM",,,,,,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d51be18b-0172-4f83-84a9-49a51d8132a4,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71e1b3ba-8851-4d31-8aa9-59e3b3d98b8f,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94d60033-fb42-42f8-a5e2-682b3099c146,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68f1cf6f-88e7-49a4-80ff-2184ec5f9bae,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9f58e5-71b7-4a6d-80d2-aece01f4f93b,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8c429a9-9118-42e8-a353-5e2d62acff22,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bad30ea0-48b0-4b64-820e-f70131756f4b,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3730b11a-7120-4e51-b508-e69822519fc0,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac7251ab-4e94-4e83-a366-7d930db363ba,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ecee55-fd9e-4b8d-bf43-92fc147c4dd9,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3bd3c32-6a01-454d-8565-2ff1153abcb4,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e91ca9d-d332-4846-92c1-ccc385d19ac4,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8926ea03-5d74-4d1d-a725-d8df765261bc,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1718b2c9-b72d-4a70-acf2-9ebbf828f4f2,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50568a95-d7b9-442c-87d8-aa64243d140a,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4838ed82-e244-4348-86a3-cdc7712b88b5,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0be8535-4540-429c-9208-bd2d8198c42b,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,880b7df8-d457-43c4-b93f-2a8f99dacead,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e16664-d4c8-44d8-b19a-dc24f9dccae4,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a07e17e-d0bd-404f-89fc-68e3bcdc437f,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee9feee5-dc4a-4ffc-97e9-f3cb972511ee,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc94398a-d128-4dc9-a8d1-c98aabaac25f,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,851d2273-9143-49f4-9f47-ccf061fb2351,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c430989a-f45a-41f8-8599-b78d37246dee,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a8b635-7bf6-48d7-858f-3af044051779,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f67d2a0-9dff-4e65-a507-db9d85e976e2,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57163521-1d2a-41a3-9254-f047ff3f7af0,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f6ed943-e2b4-41f1-a0e5-af7da3a2a4f6,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d2c6d80-8a21-4f8d-a57d-2ddeda343b80,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,274eb9f4-e5f9-4b8a-99b3-dc391a8d6d69,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe219874-3716-40c2-8bae-0dfe70611960,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9164fa9-06f8-4916-a0eb-0fdf7a84b84d,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3e453e7e-32a8-424f-a20a-701a0c3d9122,"4/16/2021, 9:11:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b5927f49-25bb-4a33-bae6-061d84f0e38d,"4/16/2021, 9:11:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4104 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,06945577-4ba0-4f34-ba6b-3adce2f0c907,"4/16/2021, 9:11:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,52bf1564-62a2-4ba7-835f-521033c66b00,"4/16/2021, 9:11:09.882 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,74d64438-7248-4993-8dd2-453352fec2da,"4/16/2021, 9:11:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6996 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c6023474-d721-485a-84c9-4f9ac9747543,"4/16/2021, 9:11:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,90c90d97-315f-4d38-9b4f-85e05c93c64a,"4/16/2021, 9:11:09.882 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63afd8d7-eed6-459e-ac0d-bb10a646d14e,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93dba52b-7f66-4a4f-a60b-f861f5702229,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc1dc24f-41be-445d-af23-7a124861d022,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f902be-54fb-4f09-88b9-f8fbf16392a7,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3de9e16e-727c-4d7b-8765-1f8e76dc22ce,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,738c034d-7acb-4a10-9a06-2f5b1d04680a,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f79f75a2-847c-4f87-9b50-f08e836609e7,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4219f38f-d1df-434a-a254-b9907d6d1493,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eb1f34b-f621-4188-9326-5995027ae28a,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f595160-be41-47bb-9231-5ef092fa2d59,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96bec34f-2c84-4387-b7a1-9863dd247bd0,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03408799-8fb1-490e-a99c-21c4f74c9e85,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8d2c6fa-4e8f-4320-b6d7-6d08e946975f,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a14c92a0-0647-4317-899d-a4bea820c3bd,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,224b17af-f021-4f16-aa7f-a8c08d3c9512,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dce49fee-8b68-4cdb-a00e-21e231e207d1,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef80cea0-f878-4603-88b8-899f33417cbd,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98695171-1988-4af8-9e62-0076b27cd836,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c142f0b6-c721-4a1f-ab17-4ad683f22f51,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5da7788e-7e32-4b0c-8c9a-dfe11128ebad,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed00e06-6ebd-48b9-9450-a63d43b73c63,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6069795f-7752-47bc-9a76-cb329a0cd8c8,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a4e0d9f-2e42-48ff-8bcd-f2c5966c4a59,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cf3876f-1b36-44d6-93c5-84b59a845a87,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aab0bc1f-34c2-45df-a925-9ade018f4834,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9816459a-a463-493f-aaa9-66d68edf5c4f,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce403c54-8552-4c6e-9df9-26a6c90b312b,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a7c22fc-8f4e-4ce8-b17e-5e7ca16c78a1,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba01455-f995-4781-ae7c-9e64066ba899,"4/16/2021, 9:11:16.701 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eed2ffe6-be36-42af-813a-8f5663326bfb,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd4b627d-98c6-4358-ab5e-83e957817f8e,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c28a789-d450-470f-b788-74babfdb5e49,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51074e6c-f383-4fdc-90c8-ce36a7cb9105,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,214b1806-86fe-492f-976d-594fef428bc1,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c587225b-4761-4343-967b-72012e38ba1a,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,675bf432-7e7b-4ddf-ba80-5b29686c5837,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d52f021-7637-4993-82af-215ee81be9dc,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87ee277b-8fb7-4f1a-ae11-81638494c58c,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,467f4596-d82e-42a3-aabb-d0a058e89803,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a05e689-b147-4e7d-8ede-13188d87faec,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84155fca-e73c-45dd-92c0-17d29bfcb998,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1e928b0-3b74-436c-9434-086b91f1d671,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05377178-291b-4d63-a0f0-64e364706970,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13b884e1-45af-4689-ab8e-94e2f70a5b73,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07aa28d-6fc9-4d4d-aeef-6d1a9f61dd1f,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c41695b3-aadb-4117-9041-37bf14b74fdc,"4/16/2021, 9:11:18.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9136 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6f42ca69-9737-4051-8387-5c33caf8b586,"4/16/2021, 9:11:18.601 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,0e6c3f00-1cfa-4637-b369-5c04b6831b9b,"4/16/2021, 9:11:18.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9d82b5d0-6696-4572-a90e-0ca900580cba,"4/16/2021, 9:11:18.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9624 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,46490597-4d85-4c1c-89a6-21e07fae7836,"4/16/2021, 9:11:18.601 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cf300e6-dd6f-43fe-bf0a-f5e47159bd4f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11338210-5e55-43c4-8e9f-5c4c1977a5b2,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626370fc-20da-460b-b39e-aff6bfd97237,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8ffad4d-0482-4f51-a6d6-ae108761504c,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c19dd86-1b66-408b-850d-a8a662e798ad,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a60d4303-889b-491f-ace3-9336bdaadfde,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5be0b8-3233-40c1-9d4c-5aa1eecd0edd,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a2e63c7-df2f-4bfa-917e-fdf3153bccde,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fbc2843-2dc6-4c7a-87b5-c27ce90b5789,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140d9c6d-872f-4d9f-8e02-65405ba25e1e,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30b997d-ffa5-4c8c-aa37-7af97a3902a7,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80379ce3-43e9-4a95-8196-35b43a0a126a,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18264e54-36d3-4838-b19f-994dc2172b0f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc6459e-da42-4cb7-99e9-9a15b827b101,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a51ed409-b868-422c-839b-7323509fe31f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc3aa6f-7149-4cbe-a8d9-46b7bd0e3962,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f50cbca1-d988-46a1-b9a1-c2f7305b6db7,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a086a6cf-0a40-4c3d-a236-e36a78edf32f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3509299e-3134-4146-bc3c-c7744787216c,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,961324aa-e8db-4c08-add9-9bb01468807f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35cd37df-4fda-43bb-9bdb-eb379b914967,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,35477adb-e388-4249-b2fd-84391d36bcf8,"4/16/2021, 9:11:20.126 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ecb4d3f-c5d8-4358-98de-948aea740022,"4/16/2021, 9:11:20.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3336 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0320cd0d-627f-43fc-b331-cd050443b68c,"4/16/2021, 9:11:20.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3316 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,447bc178-0ea5-468f-86e0-cad4c8efc3f9,"4/16/2021, 9:11:20.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,102c360c-38bd-49c6-89f2-a126c594530f,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be721fa-a70c-48fb-8625-cd50c6f4bba5,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b754f7ec-5d68-4a15-be71-b770040fd389,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a556f259-e3b5-4696-b443-553b4bbbac5b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc50c5d2-1f58-4c10-b345-b2091d21982a,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f883d70-eb72-4b12-9f9b-87ade9c5b03f,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d666a1bc-a993-43bf-a85c-12f730318d65,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de96c09f-0c85-4dc6-bbcc-9a086af2219b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b2f1dd-af0f-4c1d-81d4-e1e196617027,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8415a36-5541-4464-9d1d-46100b3ac14c,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b622e2d6-9e5a-4547-8371-7976aecb7be0,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,620ac9e7-10f2-4126-92ca-33cac1e12031,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73172588-3e79-4ea4-8150-5ada04642bc0,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,778a472e-2bba-4859-bed4-39c8d1141661,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8457b42-61df-4e78-9f73-348b618bac4a,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05ec07ce-801b-46a1-8799-a6b7a2c99ca6,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2dadb2e-7b6b-47b8-807e-4e75ae8230c4,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b44766db-5b0f-46d5-b5a2-2047cae9a621,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddcc9d23-f351-4027-a408-3c144afec72b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6c4dee-9647-4767-b920-5f409503c60b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87adbbd6-4c4a-45b1-9189-4f513155d4bf,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc745f2e-02b5-4c27-b73f-8ec132aa0865,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c04860bd-2b25-4202-b512-553f142bbb8f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e84a6008-ed3a-4016-8c76-05d2ea72b324,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0269b40-91e3-4d73-80fa-9d725819780f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\MANAGER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6120075c-da5f-409c-ab0b-d280d2eb6736,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21311089-59cc-48af-bc78-350f4956bdaa,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a21eae87-3baf-4bfc-a2a8-e960fa0cbd2f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ae67791-fa5d-4138-80f1-f31cd03e738c,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\SCANNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3c134ed-b5da-479b-bffe-01f73cabea36,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a90cad5-72fd-4fa5-8787-3ee436f95868,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,796fa3e6-cb3f-4641-ae46-2f6e5999cd9f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,338c6de0-1939-49f3-bf78-1ee1b84248ca,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab305137-e4d4-42ee-8c27-45c092db4f00,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad4a5960-b0d3-407f-9dad-31986d60d0e9,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c1fc59e-a6aa-4dfd-b3d0-6e17b3266260,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71c3c64d-1c3f-41bd-b804-fdf325b5774c,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a9617b5-6972-4bd7-9b64-59f18299726f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,242d09a2-36fb-47d0-a317-aae42f3403c9,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,854bebac-3b74-4e91-9b5c-6376cd501a12,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bc7c599-c588-491c-86fe-0a19278c731b,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edc36fd4-b48d-46bb-97f4-2536c088830b,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a77ec6d5-304e-4070-abd7-a6c199322703,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,212bb93c-695a-4897-ab3b-c41cefa1e56b,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8e757b9-47ca-4726-9f44-c86fb1808fcf,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1570a11c-5460-490f-87b3-6066db29751e,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6c0ed67-8e60-4345-ae3e-45e5caec3142,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d3e027-f6d5-4f0a-9190-5520f9f5ec40,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5c435be-ad12-4c92-81f8-518b35b65c16,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d6a71b5-43e0-4883-a872-0611cad5b2bd,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa64173-af6a-4c33-bd7c-d480a29fe0a5,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db98f7f-c381-40dd-a6bd-378e2fc9a12f,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e23abe-e38c-4cd5-815f-4fbc14ec4a90,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fce35cd-2442-4ff9-b896-3e2d1f86afae,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac109a5e-c9a1-4a5d-8ee8-9d42bcc32900,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d950560e-1f95-4373-bf9c-297ffb907ded,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbfb2881-41f4-4f8e-b791-e67b6baea7a6,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d542441b-7d54-458a-81c2-91dd019c51df,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2304405d-208b-4678-9e2f-bde28b1d4be8,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26c4707f-9761-4b1a-9f6f-76e16fd9c257,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a1caafc5-d12f-47e8-8e04-f9856d4b769c,"4/16/2021, 9:11:35.142 AM",,,,,,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c793795-c228-4564-aaa2-65bacb5c7291,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08ce831b-8fd6-404d-a4ac-ee45166eb230,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51cb94de-e107-4046-a07d-2ffb768511c1,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc26183e-4c10-4d05-8cf6-eb9bef6e8dcc,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9cb86a1-aab5-433f-af79-adb6fa68d92f,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,512166df-fea4-459d-b75d-863ada59e7ca,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e729cda-a69d-4ae9-91ed-5c918572d503,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b64e3bcf-f0e8-4af9-b16c-57fa37aebba8,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0533d688-2f4c-44d0-b144-037e2a19fb48,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f27d2eb-2a24-413d-96e9-c3ae038d618d,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fab8cc2e-e706-47e3-aaa2-1828f8d1b427,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8631f116-5db9-4104-98d8-1931d91f6245,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a7a6f806-a37a-4f26-93e9-fa1b713dfbf8,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,70d757e8-1425-476f-9d6a-dc1ce546e5e7,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,57f5099e-d857-4e92-820b-37604691308f,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,316b6807-159f-47a0-b79f-357f93982448,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7f075963-bbc4-4d2c-abdf-f0f3ee69563b,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ba05cccb-a470-4274-97d7-2f1047c93311,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60ce6b5c-38ba-460b-bb11-ac00ddc6c9ae,"4/16/2021, 9:11:36.060 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57da6942-a8b8-4311-8185-4874f9dad108,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbeb960b-0a1d-4d1e-9f93-6fe9e4f570f6,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ad92f2f-65f6-41d1-b22a-a88a1ca2e416,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,394d6b7b-489d-4645-806c-f19962245334,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad605f4c-00bf-434f-b81f-c08c46aefaa0,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c896abba-41b0-4664-a92d-0627e3de7463,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0d075fa-a036-460a-99d0-a5e7e3071652,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaf809fa-4d67-4af1-9093-e0fe3daecfd3,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e326f45f-ae6b-4e45-bf67-3525c532f7b4,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\GIULIA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4c6d217-3191-4705-b0a2-26d5736018eb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ae949d-0707-4a61-8930-21c0726fefcb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,283801a5-a0b4-49ad-a4f6-ff4c5e617beb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b32f4a-09ba-4a6d-b21b-fd57a835f04a,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4814c9b-1b35-4ce9-ba57-c2b21b84f943,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b97acbee-fc03-40d7-9195-930b66630e6c,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8db467-254d-41f6-90fb-870ae879bd18,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2a626b8-1ae6-40ce-b3eb-b27243103a2d,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2fca46-1ab0-462b-913c-4a0232872851,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605d68df-208a-400e-be66-36cf080274cb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e916f22e-80cc-456e-97e1-441846927558,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baa9ac12-3a38-4910-951a-f3ba44bd6205,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cff90eb-82b8-4d22-bc68-34d074f6ff81,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4860 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,348d4450-12dd-4dfd-9b27-ad16725a9523,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c1430515-468e-4493-919d-782882646f9b,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,12f061d3-3013-4fe6-be95-3dce25d7089a,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bd966a87-0468-4444-a68a-d067c2be8dc0,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1612 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39ceaa07-9d8b-4257-aadd-71f579276d73,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4e9e18f5-2820-4e39-88e4-1f3df33dade2,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1e540553-dccb-49c0-9a42-0a8388dd83d5,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d2536120-7c06-483e-8277-458d9ded4f7c,"4/16/2021, 9:11:46.835 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,62ad83b9-0d26-41f1-b432-ec27e43104a4,"4/16/2021, 9:11:46.835 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a47e038a-eb48-460b-ad57-b1a9045c85a7,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3952 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,81f3db33-d78a-4486-90a5-0c144ddbd2e5,"4/16/2021, 9:11:49.272 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7268 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e5c70f59-b598-4276-8747-3d0b658cec3d,"4/16/2021, 9:11:49.272 AM",,,,,,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b3cba2f-aa2b-436f-90ef-3fb13e412c79,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58c36e86-4772-4c9c-87de-415788c84150,"4/16/2021, 9:11:47.410 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68e077c1-8f95-4014-92ab-79d0fa85f900,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\POS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6bf1d49c-c82c-4221-ac61-e7c53c2325be,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bcf24924-441f-443b-9887-48caf4c91247,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\RICOH,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ff8daae-39d3-40d0-84f6-bc8b0bdc2b92,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\USER4,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,121819e5-ba06-4faa-877b-fce73885c060,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,574471e5-c11f-4c75-b216-653dc91c27d1,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,24a03a99-b387-445f-9fd7-d6ae4e7632ce,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\TESTUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03b9516b-9036-4e7f-ba60-51d9aa6d7c7f,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed76833d-b6fc-416c-82a7-37909e8fdb8a,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3091c41-a322-4691-9e9f-5083a8afe374,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa2262a4-414e-451d-8dc6-f99891207d93,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cbc09af-783f-44c4-8a90-1aa709671453,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbedf53a-804d-4be3-9949-b6fc56b87617,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42f3fdf2-d973-41ee-859a-6a7499c75a2f,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c38795ce-38f0-45dc-911f-d3cfbe880491,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28bef4b7-96e8-4266-b216-221ae7308313,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbcf1dc7-a969-4b66-8156-deec7e9061e8,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68a73a85-02da-4ab6-adf3-4e986758cd3c,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7015a220-68b9-432c-99f5-24f0cba72836,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98bfe686-aeef-4d28-8829-733cb9d4f8ec,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69fe6251-b113-44d7-999e-801ffb783e04,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c87ce55-2a53-4233-8bc5-600f73447ccf,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\SCAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,301db968-d613-43b4-8aab-02e09dc51731,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd8ad945-5d01-462f-adf5-29857c512468,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51628440-4b1d-4750-84d2-7362313f5ba1,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d47214-4011-4c53-bb49-592b1d7a5036,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b3d8033-0a5d-4983-8486-416a599e5007,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cf431d8-e8e5-4e7b-a45d-fa3ab36bce61,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c1c0136-5f19-4b96-b865-b24538549a51,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97a20985-a1c1-4963-bfd1-5f2046488fb4,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03eca55-0dd6-4840-b5b5-d9ea0a942dba,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eeb97ab1-29fc-423e-8616-9ed62c535cf8,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,761fc746-f8a6-4f99-8969-22d1d7e0f6a8,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c41132f-f289-475e-a4a3-431bf2110093,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d19ab91b-f8d7-468b-b86b-992601ff3b85,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6fef7bd-efa1-41f7-a60e-ebc08385baf0,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d50c5e-a76d-4d78-9276-227163f358c4,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a89c4177-c232-45c5-8205-7a5ee3dbe811,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,775b0189-3c38-4d37-b8f3-47298acf1cfe,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1121511a-20d8-4d87-9cde-445fdc4e828c,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,685b9ebb-fbe9-4dac-9b6d-5eb4b0d9db50,"4/16/2021, 9:11:49.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2515feff-fcac-468c-9a4f-78880d3d7557,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34b36d4a-9732-46c6-8253-c2fd7e2052ae,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2650df8c-a540-496e-b76f-0f0fcad956c5,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ab91f18-1911-4fe1-9ab3-011252c90493,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5584 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a176a91a-21c8-4d4a-aafa-16eceb94c55a,"4/16/2021, 9:11:49.126 AM",,,,,,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2bb62b-effd-4eef-b1c9-8a8ed45b9760,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc9558ac-1fdc-4652-a951-dba64734e97c,"4/16/2021, 9:11:49.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51efa458-cb7f-481d-89bc-336b0797e9c7,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d01bcb-e2e8-43e9-862a-c82ba128868b,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4447700e-0a15-4cbc-b114-60f1d0a670c4,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2272ef4-988b-49fc-8015-5e39d370b41f,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c01926d-bc82-4835-835d-441a3d2c0fca,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e9fd9d6-3015-48cc-8136-37cc17a5751f,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e323db2-becd-4f7d-9eaa-318f312798ba,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,280cf903-184b-434d-a3f7-dd9c5c22e2b1,"4/16/2021, 9:11:51.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,505be1ff-e614-408e-9483-199ae266d9ec,"4/16/2021, 9:11:51.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,538d49a8-19af-45b5-b79e-5da8ee9337a7,"4/16/2021, 9:11:51.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5156 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,49a31f16-cc9a-46d4-9d9e-8361b43f9a93,"4/16/2021, 9:11:51.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,223b275f-d4db-4965-adab-7a0fb1e23bae,"4/16/2021, 9:11:51.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11084 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a01562b2-eace-48bc-afa2-5347a440c9b9,"4/16/2021, 9:11:51.600 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7d5f705-a85c-498e-bd3d-9c4957e91998,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d8bc3c-319d-4f28-91d0-eaf9c2c3dadf,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e59a4303-1817-456d-aa95-21ef2a33901e,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d9b0353-6065-4f7a-9eb1-59db36ba05b2,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cb2b60c-97de-4410-9e9e-a9780150ba92,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22b7aabf-9d31-4d17-842f-1a6966b83ab0,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77858c6b-b437-4050-8583-c9c425675097,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8db3dc7b-44c0-485e-9c57-1865698759c2,"4/16/2021, 9:12:02.735 AM",,,,,,, +\DEFAULT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b48e2ee-dffa-49c1-859a-dceb4be5df98,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f55b2811-1c3e-409b-a6ca-a22012d60525,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22ac7829-d82d-496e-a7ab-00ae12d4af7e,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fa029cd-cc43-4723-8c0e-eaf724a6fa05,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36709247-7a05-43b0-9667-d6503b9c0ed4,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b685bda6-acda-4f4e-a370-3785e61aa070,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e08216a5-8322-4b64-b279-b7f87f70c7c3,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\BITMINERANON23,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0a0cdd5-a11e-4539-8a96-892cfc946670,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9256a571-8f72-49ef-9920-20a8eec9abd8,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5814bfbb-9102-41cc-bd96-4774bd253511,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c0559d-485d-4b3a-be2b-941aa6a0111d,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77afd59d-ce67-4cfd-8add-d7e4a8866739,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e4d28c9-3f48-4107-92f1-dd7726d0b775,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b7067b9-06d9-4455-930c-c1516d33b02a,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db4d5ff2-ab24-405e-95ff-785d0cd0d50f,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c6bbacdf-3e0b-40d7-9b01-2972cadcbea3,"4/16/2021, 9:12:08.081 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,282a3257-ed6b-4150-b7d0-7acbc3ca8b86,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,270aea9c-3cb6-4c89-b13f-ce8340ff9a85,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42c3a718-f35b-4e46-a1bb-145777ddfa0a,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ac1e77fc-21ff-41cb-a30d-f0c54688e51e,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3b9025a2-af86-4e19-8052-807aee90996a,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d08417b1-4956-4cf0-8b0e-b4b5501f6908,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,97dcc713-fda8-4c4d-b747-877d352324f8,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d39850e-0b6f-4b72-950f-8a74409b5a1b,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f06bd9bd-a0e7-45fc-abaa-c381837e82ae,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9f30768c-6fe8-45eb-a258-d117f665657b,"4/16/2021, 9:12:08.081 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,e91e0068-536d-49e8-87fb-87261d28d091,"4/16/2021, 9:12:08.128 AM",,,,,,0xaa0, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,8587b7d0-a23d-4f5f-9b43-9b2c149684a8,"4/16/2021, 9:12:08.128 AM",,,,,,0x0, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e67a606a-d1a3-4ce3-824c-365aab60d2fa,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a21018-e671-4807-85c8-087565cfe9d9,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6590da7-9d9d-4e5d-b7dc-2506a72d4153,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e92868ae-d224-4261-bf30-90c054c958c1,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd29858c-5935-4cf0-8710-4c8997b6e0b4,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e5b04f6-9a2c-4345-ac59-d328889ebf82,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f57a1876-d2b8-4a79-9d7e-c7c9fb387447,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cdb217d-eebc-4059-9d51-5c1884870a57,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ceb328-df85-41c6-9dfb-4ef3edbc2b68,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a5621d3-306a-45b7-b6ed-d38fd2ff01a2,"4/16/2021, 9:12:08.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e7e2505-7005-49a1-a966-5cde00234848,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +NT AUTHORITY\NETWORK SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2740 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,7646376d-5de9-4655-aac1-1483adda9f39,"4/16/2021, 9:12:08.128 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b132bd44-4e3b-4a67-89e5-f0177ac0efc8,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dba2ced-6d74-4e8a-b8da-83d601b751fb,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef3ade96-1d39-482d-8842-5c9dc0598501,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b92769eb-e593-48ca-8fd4-9e7211679c93,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2af7ec1-0fb8-4e6b-ae7e-6069c1ce092b,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8e903a8-eefa-4bab-bdf7-c33160af2260,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c6fe4b7-7346-43b9-a037-fcd535656574,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f10e59d-a05c-4475-b7c7-0b10896bcf29,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d10e5e-1281-45a8-b730-75ce033ce06a,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73ee1d3d-8106-4c64-ab5d-ad316ff0e157,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ac5887-bf2e-4c3e-a29f-86f7b587c595,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f38b072-3c6e-43d9-a059-4fbc874d1652,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e181cfa2-abbd-4107-a19c-9ae24b35be5c,"4/16/2021, 9:12:14.692 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2145e56-09e9-4634-b201-cbe5a5a850b2,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd477b8d-2de4-427e-be03-fec57b70a1ac,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\DEMO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b0c8010-3952-4cc2-bcc1-e0f5e4b95a76,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3c156aa-8a71-4c41-b5d8-fc0c356a1d82,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a9498a0-4aed-4fef-953d-3bc5f984da3a,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bff32587-6932-4326-a22f-96a11da69d22,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d614a0a-fd0d-4d8d-a93d-5db76e1cf685,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c7ced87-214d-48e3-9de9-1ac73cc9864f,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,335dd7d1-8da7-47a8-894b-43cad762489c,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a463863-c8cb-4f85-b3f0-6b6552eb00d7,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2390ad00-d8a9-49fd-abb2-bd5fea898b39,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a2793ea-4769-48bd-95ad-5577791ac121,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fda4a616-3a6b-44e3-991f-cff9f6b87468,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca214ef4-79df-43ad-a819-5b24cd287463,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98950a25-3c6b-429f-b4e1-0ab50d7266bf,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\EYA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e595041-fd05-4f19-a5a8-ba36a68e9ad5,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cddc2d51-8f0c-4e78-b1a7-57e02e3d7fdf,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efe25586-6526-4534-b750-b5c8d990bfba,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf463e10-2525-4bda-8780-dd0791db15a8,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82045daa-c6ee-45e7-9480-6e2437e28936,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ef5af25-3a7c-4c14-9d79-6b3eaf3c97f3,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,273d109b-6d1d-4ccd-8d17-9f5b359a4354,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,023d6c1a-9d13-45a0-ae1d-4f9713f7f867,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5ac0899-4a3e-47ad-851a-b7336df95755,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e57c930-7638-4c5a-aea2-cf8c590f228b,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054bf3de-429e-411a-9e3a-8b128ffc10dd,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec24bc69-d2c9-466b-88f1-06f7bd120bcd,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10178a5b-1245-4305-a8c3-3d92c93e9919,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc97d9c-5dc3-4405-9690-c08f944f542e,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb5cf5fd-16fc-44c9-aaaa-b6bd9e9aa083,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf3d65c8-0161-42d0-b6c1-5f83ac2af557,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36daf11b-0f2f-4d8c-9ae8-515a55466a19,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4fdb79f-32d3-46c3-a072-6c1551e172d8,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9dc920-30da-43d3-88f3-f88c39ac03ee,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26caa98c-9aac-4c43-a396-5656f9ffccbe,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0332baa8-a1e4-46be-82a0-63a8d05f9343,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a41396fa-c588-453d-847e-96d25aa7feb0,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59a235c7-553e-4bfb-af75-d9e609b5b864,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a851682c-7043-4592-87d1-3a5a2dcb1efd,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccb0ab45-516b-4a88-80ba-4babe532c215,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161cb3f0-3880-451b-8195-6d5b2f7b4d0d,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9eb180-036e-439c-b646-7a2585827424,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8dd9fcb-e9a4-4e09-bdb8-9a6bc942a3a2,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ACCOUNTS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4a54a26d-99fc-481b-8af6-bac61095f621,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +\USER02,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a041bbd1-cdd4-4f05-b68f-44fede10f803,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4b2a8c1-b2ec-4273-af0c-bebee1d25cb9,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +\DELL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d05b1d3c-12b4-4445-ba08-d3e5d7216033,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8dfb2414-082f-4fd2-91e9-5afe70126f1a,"4/16/2021, 9:12:20.421 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1804 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b127627c-bcc5-4e85-937c-ccdb0a4c5d0e,"4/16/2021, 9:12:20.421 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a14f2932-49e4-4aee-8b1b-7bac5c9fdc23,"4/16/2021, 9:12:20.421 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,91820377-6e11-4e4d-ab1f-887fd49becef,"4/16/2021, 9:12:20.421 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,36512a56-a99c-459a-a4a3-8f53495e58b5,"4/16/2021, 9:12:20.421 AM",,,,,,, +\OWNER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9579885e-021e-4dd8-9fd4-825898b82fe8,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,bf4777fc-e089-4069-9dea-ce653bed8ae6,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,42f33bbd-36a1-47cd-b00b-64f32c79b4ad,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,268450fa-683a-4a49-918d-13d51c22740c,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5680c3a-5d0d-442b-96b4-a347060402f5,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fb3577d6-fbfa-4ef5-8459-ad7a625e557f,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6868 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,855bbd08-74bd-4a2a-9738-527faf274a2b,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f10f0f6-fd81-4582-97ba-236ea5f3d51e,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4604 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2d816135-aeb3-4ae3-aaa3-30a4aff23f7c,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,940bdd31-edb2-4e3b-81ec-1a6dd9ace0d1,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e68ae3d0-f915-4177-ba8e-1cfd5ecc4f16,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d7baae32-080f-482e-b7fe-b45116ccb5b7,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c032384d-e27c-4b39-b8c3-bb5571c67f3a,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,40114497-454a-4ff3-aa6e-d0ccd6d62ea8,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d2cf9254-7c2a-4178-9be6-56404a6ab2c6,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ff479299-aba4-4a8f-b40b-574fd59e62e4,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,677111d7-1511-44d8-a952-a6e0b2eaf355,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a8549166-089e-4924-b0a6-56036dc52c8b,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ae9c058-012b-441e-8b15-708c3d5228ab,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f1c2aca-5701-4060-9a6e-307817042a16,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee1cc971-bf88-4a22-9cd9-5d42feedd7ed,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,45a360df-8e3d-48a3-aa6c-027352e9e131,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ea2160d-1b8f-4412-af59-ca8c2215134b,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e6537b4-833f-4807-8028-8a2fbc0a8aa3,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,45e63ca6-4ed9-4acc-8796-708bf544e6ca,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,150ed739-4bf7-4f40-b16b-78845b5aeaa0,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7ab9760-f8c3-4621-8c06-7f7ae53fbac9,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e6449290-8ea4-43dd-a26a-878e92efb2c7,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c98a2a6c-9fbb-4d4c-8d45-1b3a0596a879,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,12b1e820-7012-41f0-b191-5fde0c5a24a8,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ad153b1-c981-499e-8422-8d598c38100b,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3604077a-83b5-44f8-8fdb-8a6fef473705,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e7fe0ccf-d323-43f7-9f3b-c8847d275f30,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,53b5a8aa-c949-4bcc-a8ca-9478b1cbeab6,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1bb689c-1108-4f13-befa-93f3a4015396,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d7de46d7-8b61-4cb3-bcba-77482ce1163c,"4/16/2021, 9:12:21.611 AM",,,,,,, +\USER1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2007e7a3-216c-4ab8-bbe3-0f6b4da6943a,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10ede72e-60c7-4339-9790-c9be910fd7da,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d16ac162-30e7-4fe9-922f-273f9c5e57cd,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,849129d8-aa1f-4f32-84f5-39d787d612a8,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b918840-8855-4bdb-85a3-fecf11efc882,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dabb8385-77e3-48b0-8499-c5485a9f7930,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f27aa2c-6bab-4b82-b5c6-f7459df3094a,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f290acaf-a727-4450-82d1-5e3a8b743e68,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83735c0a-e570-4d78-b757-5faf6e0bbd72,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,318d391d-7ec7-4cd9-842b-65a52ea80759,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64c34d1c-80c3-4e0a-b794-1a6e41da86a6,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68aa075a-ffcb-4fa4-b6ad-e58526ffbb2b,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,324f3ac3-10bf-4768-b233-710f800f8245,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93469205-96dd-43ac-82b6-ba66fb57d34a,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71313dd3-297c-4008-a174-7b43d7645abc,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0ed7698-9361-4747-91fd-042a2d95de0d,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4ff5e23-ed32-4817-9c56-14c68a183404,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\USER2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e97ffb57-65e3-493d-8710-d23e8ca51522,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e5b73a4-66ab-4e40-9039-d76fa86ab812,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8311ec6-a155-4b99-9b7a-64a74f059b2b,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef4b408c-de73-45d4-9fd8-f75c1c0209ae,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8730295-c0d2-49c4-acee-ad28d2a64077,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ddbd4e6-acf5-4607-9b81-10c1f5cf34cc,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\ADMINISTRATÖR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fd7e899-1804-480f-9e35-d28f86600130,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a4c8eff-4ca0-49b2-9acf-f60e74c788d6,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a76e8863-143c-4405-b46b-fbd860a83057,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14312 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3ceb5b53-986b-4140-99f4-741d8e82a417,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10632 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,55d4fbec-682b-448e-b6ad-29a7a67f98dd,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11144 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ab812765-1f20-4719-90e2-020496c06a75,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 12108 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 4791D7CD9D154D3F2C59B47259D2689FA47FBFB1E9FF7A41A5F03B3B66EC67D3 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1757 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,144df349-5b1e-4bf6-9e22-c347c9cdf4a3,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3028 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ac991de6-d7a6-4450-95af-a5d7615b5bbb,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10404 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1e1f91dd-8e69-43cd-a6cb-2a1eda225b4f,"4/16/2021, 9:12:28.992 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb46ce0-79a4-4b9c-aef3-d4472f2cc7a6,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4407984b-952b-4143-965c-a83289c2ec07,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8db7cbf0-90ce-4deb-9c10-aef941c7682a,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72fc45d0-c27d-4b09-a020-b4f970aa5041,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1417a4d5-054c-4eee-9434-8beadc27a982,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9996e592-d3bf-48ae-b36f-d704c284c82e,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae9350f-d810-421c-a780-ffb8b46afe8e,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8af230de-cbcd-4cd8-8ab4-eb8447ecd26d,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0c784be-b0c6-466f-81e5-1b0a86b4e97b,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6f5bc69-0438-4841-b0c2-1a4031ec48c8,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,217544db-f75e-4207-9a5e-ab7da0e2dbc2,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,015ce6b1-6bd6-4c77-a48a-1ff9e4623331,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9120e52f-09cd-4e94-b037-90a89c6eebe0,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6764c28-dfd3-447a-9402-91bebcc75572,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8239b159-a73b-476d-aee9-ef074bebe17e,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc1b7cc3-3693-4c1e-980a-2aafe2fa10b2,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48c285e4-cbc1-45e8-8dc1-40e0196c6da4,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5456a687-7825-47e1-9504-e24f0ec29d23,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a69d78-8844-4fa8-8e44-be9ba13ad551,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,933492a0-3ff2-4dff-bf58-8fa1f072d731,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d7686ad-b7e5-48ce-90ca-0794e6112e68,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e647f06e-4efd-42e7-b585-d4a1e71733f3,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,4429a4ba-8459-4513-a3dd-d7a85486b5c2,"4/16/2021, 9:12:31.205 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85d107e9-549c-4947-85e7-550ff0934e93,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9542984c-f834-4845-ad5b-b2d41cef5663,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f22ab6b-8049-4bdc-bce3-e1514c6a9f06,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a48fd9d-5ef6-4927-b3d6-a55c981c8731,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7cb21b6-0a17-4cea-a68b-978bcf479b7a,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6de6ab0d-c548-4c47-886b-1bc59177b800,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4629588-efff-463d-a13e-a5eb074c4157,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4abc940-3569-43b2-a373-c01687a1d722,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SOC-FW-RDP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-17T04:56:33Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 2251799813697265 + 2740 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dda2784-4316-40e1-a8a2-aef99068ac2a,"4/16/2021, 9:12:39.127 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b49d21-a870-4f1b-8860-aad2f41e95d4,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b635ead7-1496-4faf-8017-f388d912baf3,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,499702ba-a323-428f-a39d-094e102ab368,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f035f673-a460-465e-a5b6-681129ef1163,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21512d8-dccf-447b-882f-fe3378c083b1,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919b86f1-0a5a-4a8a-950f-13c6811e8c5a,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c92c6702-5085-4f03-897e-31f550100e83,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56f3400-2234-46e5-ae6c-93889a95d9ae,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a938eef-8fc2-4dec-a578-d67f9a5281d7,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e7ce3b-5c1b-4d2a-b519-1e100bb3f486,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c54c5b7c-e098-4ded-b5f0-9219c7b952ff,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7736fad0-dc88-4d1a-addf-6d659cf911c8,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47ade6bb-3226-47c7-816b-08c3825f0064,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0d6b9ad-5cd3-497a-b116-8960462314d8,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c28d44-5a00-4858-94c9-597bbd9859e0,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a039ce2d-a30d-4048-8eda-cb8c0efa30f5,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9b72df3d-583b-432c-befd-aefd1fa30870,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7dda7709-b026-4f42-b3e6-5d58b6c6d02b,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,019498b0-2138-42cf-bf9b-8a8b79c12a7d,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b6d08c4d-9e39-42eb-8bc4-fcc6444915f6,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d9dee60-e941-44f7-9035-fc2d9db37120,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f0af60e0-e0bd-43b2-87ef-76dfa5cd95f2,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f724d600-5342-493e-a08c-e935ff46b440,"4/16/2021, 9:12:43.061 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,73307c64-44e5-45bd-a187-d09077bd8ed7,"4/16/2021, 9:12:43.061 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,7595bfee-3084-473d-844d-15e0caba2ce0,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9981df73-8a24-45dd-91f2-c7831cab8cf5,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,02c6be9e-214e-4a9b-bd89-4e23284ce66d,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,52700954-540c-4cb3-9813-0bb51c10d079,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8a44 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,5032c558-6173-4dbb-ba4e-a2dd4a206c91,"4/16/2021, 9:12:43.061 AM",,,,,,0x8a44, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8a44 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,c5b96002-f5b0-4442-8ae7-d6e511534c28,"4/16/2021, 9:12:43.061 AM",,,,,,0x8a44, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,ebf9be15-344b-443e-bd01-5db8024898b0,"4/16/2021, 9:12:43.061 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,92c87bcc-6576-457c-9d9e-8960e926804f,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5de83a73-a8a8-4883-b92a-af9bb0f9f7e2,"4/16/2021, 9:12:43.061 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e24891c-c66d-4acb-9372-06a2b770a780,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28dc3e8-a15b-4919-8874-a43762da6ae8,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30439f54-73d2-453a-9df9-83fd6fc66d7e,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e76b71d6-058e-4459-a8cc-4daaf9b4fc2e,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc206b31-d3a6-41f3-82c0-bf76ca6a3430,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09039629-65cc-4b16-b838-7324dd1c8828,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f5afd1-2c3e-4998-8ff1-b5eeb1de1a9d,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed43b409-04fd-4e83-9b13-89280a7eb41a,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5202e6d-f360-4106-ac88-7924af1e51d7,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0e9ee9a-b26f-4261-8ff4-90a14dade151,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea293d2b-4181-483a-81b2-7d5ee4f255ca,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a56ba0-5f46-4909-ba79-5841d4933833,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5e07bd2-0e57-497c-9508-92c40b1096df,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16ae4715-a8ea-4cf3-9ee7-1044d26c0593,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0fa41f1-d82e-4609-be8f-12db0de30fa0,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30454c69-2ab4-45d7-af8c-cfb52d7579e9,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed71d75d-ae1f-497e-b0bc-7dc35fb736d7,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f45b14fa-d3d0-4d8a-8ca7-fa36bb8c2599,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dd5cf41-254b-4ec9-9e93-139625eed521,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,479c0dff-b04f-4a29-992a-a2237f481148,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d3e890-90bb-437b-b482-c19a576d05a6,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7c91422-4093-47f7-8fc9-84ad5067ffb8,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,be80d28d-c95e-49b9-9f7c-250dbf5a78f6,"4/16/2021, 9:12:45.871 AM",,,,,,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6efba0e-74ed-4e79-941e-cb3b6063432f,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8995c3e-28e7-421d-a2f1-ca1b9c243df3,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66336ac5-9630-417f-81f0-a19c6d738772,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b2fb68d-e35e-4929-aa11-c05e5e4ecb7d,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bc38c49-9f87-4890-8ad7-4ae34df0bd78,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93c4efe6-e9a3-4411-aa5c-12821efb1d3e,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a073506-897a-4c47-9859-b440469e83de,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d85b692-4cbe-47fa-b07e-2fde9891750a,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbdd1def-f974-4227-8848-5ec9f83b5923,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa742784-3a59-4c8d-8136-dde129efbedf,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb8dcce3-fdea-461b-9422-3e2cf135bf1c,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03c1acb1-5fba-4eab-8f6f-90e5e77b1c0b,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98b5483d-392a-4146-8b26-1c2f6d013c90,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae840f75-3d3c-41be-a22d-6a70f70e59a8,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25e8c27b-0b11-4f90-905b-fbbe16134807,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efe440f2-7e1f-4d71-9574-4c5761b71eab,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb54ee6d-a2ea-43c4-a40e-6833444fe289,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f76be6b0-513e-496e-9af1-3cb8a8a3b264,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f88037e-0246-4000-a8eb-55c27e4ede57,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04dfffe7-8595-446d-9f28-1a00c0bc3cdd,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20d6e2b2-41e9-4a20-96ff-37521aae5102,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddebf33c-ca30-4eb8-887d-4b1da1bd3902,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5e56732-620b-41c3-b64a-e2eb4e49a525,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8effbcd-54b4-4e4e-b7ff-1c36ffad85b6,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6001e795-9e07-48dd-8b7a-e645a121567e,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12704 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,609908ec-55c3-471a-9760-a7d388efb2ad,"4/16/2021, 9:12:49.268 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11856 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,6ff952e8-9947-4523-8bcd-500930281cdf,"4/16/2021, 9:12:49.268 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,230c7318-317e-4aa9-a9ce-194dd5b8e43d,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cf3cb63-fe3b-4a20-8a17-d3d9b78c8fa7,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ec356f-e5af-4b4f-bc11-8719e21f453c,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ac975b7-6d4e-43e2-99f6-4018d7e069f7,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c4731a1-d35a-4c74-abc4-d08e1ed7f08e,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ca1091-1059-4e76-84f1-c60d68e2b9f3,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5659c0c1-90bc-4dd6-8c9c-bd59ca37789e,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f798161d-3bb2-47a6-9c60-fe43f4b1815d,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17bf9c72-615b-44b2-98e3-2f57a52bdbeb,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af3063dd-1e1d-400d-99a9-e0ca54fd0210,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65a24e40-43d8-42b7-bb44-5a9d1e66b7b0,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d25f07de-e304-4886-957a-e60d621f1407,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3ad85b5-76ba-47b1-ace9-413288a4e4ea,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12e44b29-e8ff-4eb7-959d-762c80a59788,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0f8107e-db66-4be3-bd1f-8d3504f3dc8c,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,132f4ad0-a2ba-4bc2-9dd7-94b0cd1ff585,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9356ea29-5e2a-4384-a335-8c5580e237c0,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3eb2bd-2ef2-4f65-a670-523b8265b14e,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c8c3a0-4413-4e56-ab8b-d394c1c8ccde,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b537d78b-91a9-443a-8bda-d81d730e0ff9,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17739c4e-dad7-4ea3-862b-f950c4a820ea,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,047199db-d85d-4a89-84df-306c32787dc2,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bd38d21-29dc-4f3b-bd3e-6ca70da776e4,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fe3bb4ec-990e-40d9-9151-b2d7c0e86cf9,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\INSTALL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4f3ceb42-456b-444a-a2c2-55a27efbd357,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a89521b5-476b-4a77-80df-b5fbc0c81c01,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\DAVID,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,97af0421-d228-4d6f-b215-2e218dbfb6c8,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6f2a715e-8647-4b55-9b68-e17178cdf928,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4632c6c8-dba3-4aef-952c-b87dfa561417,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\HR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bdd24843-d8f1-4fbe-9978-6b68f371a746,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,54740500-7464-4d33-b154-c271f274a93c,"4/16/2021, 9:12:52.604 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c2baca2-6578-4b0c-a01d-370f1b6bb67e,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,d97ddc02-7006-460d-b382-b162badfdc68,"4/16/2021, 9:12:52.604 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0d78c723-df62-4dc3-98af-aed6ffe4ee16,"4/16/2021, 9:12:52.604 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bff87220-7113-4f5e-a132-57279a2d5ed6,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10800 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e5eb2e12-54b7-4ee2-b5d5-46d17fba4bbe,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9288 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e30405c-08f9-4017-8775-c9dee827bf95,"4/16/2021, 9:12:52.604 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b396a938-1511-4ac8-9f2e-e36ba8bee8a4,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9956 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,85fbee7f-8090-41a5-b8fe-128fd3883cc8,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4812 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,58146215-7619-4df5-b4af-636fb682df2f,"4/16/2021, 9:12:52.735 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1576 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2a3e0ece-5a18-47f9-a3f1-ddb5325d1583,"4/16/2021, 9:12:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,221519b5-0e43-4b16-88c9-5e87cb7cb3bd,"4/16/2021, 9:12:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b7b0bf4a-5bde-419d-8960-a9f2113e1c7c,"4/16/2021, 9:12:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b51784ac-a926-443d-82d6-e945b2fd7fc2,"4/16/2021, 9:12:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,97933fdd-5e9a-4a48-9f77-3b9e9cea486f,"4/16/2021, 9:12:52.735 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84ea1719-5cd0-4b6c-a369-1d9acbbdd943,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d10d17c-c67d-4cb9-b3bc-ed92090eefe1,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b74a4fad-070e-4924-b447-ad59beb52a0d,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,600901d0-d655-4b6f-ab59-232020476e7a,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85dedec4-0694-4306-8f43-4ce43d342706,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32479c6e-8ecd-4b7d-8997-5ad88921cc38,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce74374b-d5fc-4458-b8ae-85950a7778ad,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de9e9978-261d-4113-a9fd-58f3f489dfde,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd89afb2-9f63-4778-86e0-a06429e342f5,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e99cef22-440e-483b-87e9-c9faad54a0b8,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,564abb62-bc7d-4696-b5ec-159bffea2c87,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9bb780-e1e8-412c-8b85-319f7a8317a0,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3f27ad-99df-4de0-8ace-22537e44e9f6,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08226296-6286-4c7d-82ec-9ece5f9fa091,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a8677b-a2a3-4436-91ad-75adc0bb6e19,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1423de09-ace0-49be-ba77-508b7738374e,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0c644d4-c3fe-47c7-bb9b-9897a3d7cd87,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4bea2c6-c0ca-4063-8a57-fed50cf8659c,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da5c9d83-eb8b-407d-8f6c-46e1c6584a4d,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77647004-b3b0-45d1-ae44-a8a44889d65a,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73e0bc96-7f3f-455b-8bbc-f2e8eb8e0abf,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a5726d2-611a-40bf-aeb2-25b01a0455fd,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31a05feb-ea52-42a2-a491-51191ec65287,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,533a6996-2e8a-4ebb-af26-dd75f1d70cad,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db468fb0-961c-428b-8a5f-2a6466260ae6,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31f0b573-273e-4496-a560-94e173759f80,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b825cd98-90dd-474e-8728-baacfa414b8d,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d371157-15e5-4427-be32-3fb02771e0bb,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f87ccfe0-f2d3-4d71-a388-c96c80bec202,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a47a4c94-c3c1-487e-a7d3-035c19077137,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78c3244a-3d0a-4ddc-8947-a931e4de6b9d,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fd911c6-3b9a-4d46-88c6-89ac5619cfad,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78101e71-e770-4243-8c91-e0ac3e813fa1,"4/16/2021, 9:13:02.705 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4aa63116-d650-47b6-8bc9-8cac6daf8d24,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc6999ab-b55e-44dc-af9a-893d604f6c33,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c1580ea-67ca-4721-9cca-7e8de3ec5487,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,892f3881-01ee-473e-998f-e3a195b96da1,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7da10c4d-dd9e-4727-8f0c-c8a07c4bcea5,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f52d8be8-e943-42a2-8113-9dfd40fab272,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2944aac-9266-4f51-8ce4-50848247e88a,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0190e8c2-41bd-4581-8b79-780589fd94e0,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbf500c8-fec7-4b0f-b805-996b6934aa26,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddc3cca0-dd40-446b-9984-c06456980131,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47636f90-6b32-40cb-8826-8c4d8209e637,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a10b995-66ce-43af-9629-61de2fd287d4,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd3675b8-346b-4a7c-9602-13a1cee68ae5,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50486efc-2f7c-42a3-a36b-2d9e1148d8c8,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c121995d-64c5-4f73-b1c9-2ba3eb5a599e,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c93326f4-5a26-45a3-945b-b037b5a9bc20,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4220c9a5-4dee-4003-9792-a0d024999ba0,"4/16/2021, 9:13:02.705 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7581cf9b-80bd-46a2-a72b-8413e6e996f9,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ccc96de-6389-43e9-bcd6-6d8e110e3bcd,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d0b1b57-6b72-48c2-818d-3da3ff0a03d9,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e8228f8-4293-438c-87e4-0804a0f10584,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e16b3e6-acb9-47ba-951f-f684c1ecf508,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e884c791-2a9e-47c4-9789-c3a5b4915389,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af3b2962-23b7-4bf0-8494-dd5c129dbdfa,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f47a61-ff25-4844-957a-6b1f5af1eb21,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3044556-6c39-4e86-9f76-8157b22e3632,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d82f817-e5a3-41a6-b597-7082f4688b4d,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6026ec79-e2bb-4d29-bac1-304d80402e28,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aff2658-ecea-4e66-8d87-6de751803f8b,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa3cb177-4148-42dd-8a74-2c43fd670661,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad59aafa-2336-495a-9228-8c8c1eaaf17a,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,729d3f20-c847-4229-a594-3c9e472f1ec8,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,957ef31c-f306-465b-ab0c-b33261f42dbb,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,222ada86-d02c-49cd-a70d-b026d7ba44a0,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220844d1-bc37-4a47-a3f0-9c63e83fcdab,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5edd6c6-679b-4456-b5c9-589b90c90392,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c639804-4830-4e25-9b7e-b46f59783238,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96935f4f-3f92-420f-a642-a6f89bd14d8c,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3944673e-a364-4e24-81bd-61a43a2c17e3,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7132695d-e9cb-4129-a04c-f0bf3ad3c756,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef1cf70c-9227-4d6e-95e6-e3f5e6cf8229,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,738b83d4-c571-47c4-aafd-2ebbd53ba9bb,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5700b45-6027-487e-ae09-a12e42102c01,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89b390a2-38fb-478e-979e-b3fe9e0c4edc,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9937107-b793-4a40-bc3b-1b58392260d2,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6176 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b96955ea-ca9c-44b0-adae-95b5dfebd072,"4/16/2021, 9:13:07.920 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84c53c29-529b-4757-9b59-55d6052f1a42,"4/16/2021, 9:13:07.920 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,32581155-8211-4c66-8122-96d118ad80a5,"4/16/2021, 9:13:07.920 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f12d7832-9f86-4879-a522-760fe38b8369,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2208 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,40292640-2819-4bdc-a7cf-122bfb53cb70,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7132 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5837002a-e9fa-4f35-91c9-a37121b8383e,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5316 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,784279c7-7b2c-4dc6-88b4-4c5e019d2c41,"4/16/2021, 9:13:07.920 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0e2245d2-e606-45a7-8432-d2fd1490af4d,"4/16/2021, 9:13:07.920 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d34f2690-46dd-4cc8-bc55-60186e7f1a01,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7b79b05-e973-48e5-97de-130fe443a484,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88eb887d-372b-410e-bf5f-ad088e689b45,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87a77380-b11b-4ce2-b4a7-4b0696330f12,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70ff66e9-b4f7-4955-b68c-a874ddd4927f,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b3bd6d-2e6f-4e66-ad1c-904d16d4a408,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab8145af-ee27-430c-b930-6b5f64a1e13f,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c502967-d801-4827-8032-62a98cd7864e,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e979009-28e6-4040-b72d-eb4c7380c27b,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a83c2db-c687-4415-b3a3-5afab99cdc48,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,937fdb44-7a56-49d7-a57a-63e7ae7064a8,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8478a99-a1b9-49df-95f9-527a0be99b41,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd90d86-e030-45f3-8156-7625a6a42c57,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,178813b3-362b-4bbb-bce5-316a627fb1cb,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46dd84bf-3328-4393-9093-2db7ccdaea50,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9e7feec-7b42-4b95-8fc1-1a7de351c150,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e30a2e50-78b4-4869-98f5-8a98e63bb298,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c033bce1-755b-43ca-b0c6-72d28bf6f6fb,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec49aebc-43a8-4c1b-b606-ffd811f593de,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b20c69-b2f5-4e04-a743-39c1ad63daed,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a81a25-6500-4017-ab9d-3d51b5ffa2f0,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4af587d6-34e6-41a2-9fa5-554d5f3ffc3e,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e47f3b5-bd90-463c-82b4-ee7355a4dd50,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,030bf418-d899-4584-b5ff-10323f507594,"4/16/2021, 9:13:16.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\WindowsUpdate\Scheduled Start + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>Microsoft Corporation.</Source> <Author>Microsoft Corporation.</Author> <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description> <URI>\Microsoft\Windows\WindowsUpdate\Scheduled Start</URI> <SecurityDescriptor>D:(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FA;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2021-04-16T18:39:04Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1M</RandomDelay> </TimeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>ConsoleDisconnect</StateChange> </SessionStateChangeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>RemoteDisconnect</StateChange> </SessionStateChangeTrigger> <WnfStateChangeTrigger> <Enabled>false</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <RunLevel>LeastPrivilege</RunLevel> <UserId>NT AUTHORITY\SYSTEM</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>C:\WINDOWS\system32\sc.exe</Command> <Arguments>start wuauserv</Arguments> </Exec> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,4c68e4e0-392c-489d-80e6-9cfc2f82a670,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,8733b570-3c6f-4403-973b-37c683f755df,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0671bc63-d1cb-4b37-a4fc-adcc394e640a,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6daceeb7-138a-4bf4-a0ba-13818d251385,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,55a0fd8f-564e-4b17-89d8-a5b941dc2217,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,71b7c9b1-0441-4667-a661-4a800db31079,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,97bd6717-2a89-4f34-8902-6b854b47908b,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,796699b7-2cef-4b43-babd-720da3a1de73,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9835b390-f68c-4c3d-a5b6-008f87b2e6be,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f4bfa30e-3b59-4b9d-b553-cad93e176d08,"4/16/2021, 9:13:16.056 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4abb93d2-d5e4-4f7a-b012-8adcac673b63,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,218bd9ca-3c38-4487-b55a-c235981d5be6,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,606c8929-09ef-4335-8cfc-5cc3ce56ec35,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a33a062-6e76-4d17-bf4c-619db93ccead,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87f5a6e5-6bdb-43c2-9023-d4b83b3ea2b2,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdcd2a6-297d-45be-9457-0c63f296b834,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a82389d6-66f3-4ba3-bece-5ceba1f6b3b4,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\JOHN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9cd1fd8-e498-42a8-be4f-de39a2330be8,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e541f903-5697-479e-ad3a-15e559c6f79b,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6645273e-bdda-4d8b-b56a-0c9b67014a92,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\ORREN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0c9069a-01ca-4458-82a4-0324cee374f9,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f40d1a9-97bd-4858-b379-572a196b5f68,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,170faaf2-49ec-4010-ac01-7de917bba404,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7f1b039-148e-45e6-bbc6-0d4109103847,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b7489af-edc7-4696-8368-c91e26eec3a0,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06674450-1e94-46d8-a0f1-d8c24b3d6f61,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6484fac2-7068-45a8-b4de-a8a7ecb74ddb,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,966d6462-8184-421d-90a5-5528e2728f30,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b3dc47f-110e-4db9-97f9-3c9c0df64075,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ad6f0d5-8d31-42b3-b27d-bc91cada03d4,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a05190c4-3e3e-4474-ac53-60b7282e1e40,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaeb3ba8-3ebb-4fb8-813c-9be3e341917e,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\TEST1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,269ed9a6-f8aa-43fd-b553-55ceef63b356,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,887992ac-34ee-4842-a59f-e61ff6a9d7a2,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7c5390d-5170-4141-bcad-8693eec8b8ed,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,788efe87-e64d-400d-9fa8-021072bac667,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d700e91-34bc-42b6-a0f3-ec8f03946506,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18c77e6d-8eb9-4f86-94d9-6ab78586e384,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b446fa7-d572-43de-924b-a37684b29c61,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c0e6fa4-831a-4fd8-a336-a447393200c1,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a47ba3fd-942d-44df-96ec-1938d41536f4,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdde882e-dff3-4139-83b3-e9e4c931c89a,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb2a719f-62d6-417a-88ee-8a150255cbc4,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3feee409-569b-44b5-b95c-3143f5a80ef2,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4738ba-e484-40c5-a5c9-2f3b8f056c16,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b8289e-08f6-4ad0-8aa1-417f5a0f2d77,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33f2751-292f-416d-9816-95e4fb37d87c,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312e3cf9-04e7-4cf4-b145-acd0b5eac0d7,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1020a7a-4eed-4e68-a19b-c011619cdde1,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44d51583-a527-4210-8f27-d1e89033b3d8,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a83df3d8-e94d-4ca9-8663-df45313ab37c,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec7a37db-4fcd-405f-be51-64c91ac6e7ee,"4/16/2021, 9:13:20.122 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4d333e0-13a3-441e-8cce-fca0398aa320,"4/16/2021, 9:13:20.122 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04cedb1f-6ac2-4e51-9729-812c96b12f1e,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8008 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,492730f0-78b3-4d52-b3f1-51545c87b224,"4/16/2021, 9:13:20.122 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3300 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad07db4c-6d9b-4bda-8467-c795b443a60d,"4/16/2021, 9:13:20.122 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,3e020c93-35ec-4ec8-a79e-3433a25bd269,"4/16/2021, 9:13:26.602 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4728 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c93bf6e2-56bd-44cd-bc2a-701f6e24a1f4,"4/16/2021, 9:13:26.602 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10740 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,47fbd5ed-62f1-4cfc-9aa6-2f141fbe0edb,"4/16/2021, 9:13:26.602 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9828 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,54bb55e4-6ffc-4425-ba61-27f42635577f,"4/16/2021, 9:13:26.602 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,33fb127b-a2cf-4ac2-abbc-d3b9ade34eed,"4/16/2021, 9:13:26.602 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed5c321f-19cc-4ca9-bb88-541f53c76858,"4/16/2021, 9:13:26.602 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,615db40f-b280-4df8-b2c8-ed96378fd177,"4/16/2021, 9:13:26.602 AM",,,,,,, +\WAREHOUSE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b8cc788f-92d9-46ba-8f75-4126df2ef2e9,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c290c139-eb06-4987-b563-5f75fd3e36c6,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,536b7aa1-7c54-4067-8e11-ffb1ac91f981,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\VPN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e5d2b4c-c178-4560-9bdc-d26c0fe33a07,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46558d91-4f1e-4e00-a8c5-0350735b9192,"4/16/2021, 9:13:27.440 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1352 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a328634b-9cbf-4f1c-a255-d9ad58faedcc,"4/16/2021, 9:13:27.440 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bcb082aa-25b0-4250-a789-269401cce0f2,"4/16/2021, 9:13:27.440 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1304a204-a055-4624-a9e9-c8187af32f5e,"4/16/2021, 9:13:27.440 AM",,,,,,, +\CHRIS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58a7af6f-bdda-45be-a281-346e4ce7337b,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f1df6e38-948c-457e-b0cd-dac3da73ed17,"4/16/2021, 9:13:27.440 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6028d419-6829-4dd1-9783-8eeaa42b0641,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\ADMIN2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,db44fc36-24d3-4b08-b565-d26fc1ad00a7,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37178952-c563-49aa-a98f-530dd66bed98,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7762828a-8439-442e-9bc9-807c6c5da3c7,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc34232d-8b95-4b55-81d2-e106c6dd8815,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e80027d-1793-45eb-8889-e562508d4350,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6395fbf-4e47-494c-a9e2-c23e51370313,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95b0d6bf-b4f8-4a05-8713-93fc8775d242,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a41282-c9e4-4a72-8c09-e63a6eb19547,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71dfde76-1fc1-49e5-b492-1b742ce49aa4,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f9ca98e-fa1f-4003-90de-c56c48ba69d2,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a1ffaa-6d90-4d26-873d-47b7511fcd69,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbd269d1-055a-4cf2-8a24-fd8d6c2695ef,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\MIRIAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3efa3b06-dcdb-4c72-97c3-62de3149bde9,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c567b89a-00b3-4b2a-a74f-f1677be1fe9c,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6602699-8795-47f7-ad18-830060f21ef5,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f664a1-839d-4c4b-904f-b0db2e740b7f,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a71a6a6-3f33-4676-85e9-40b8c0cc91c1,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,336dcad3-860b-469f-bb56-8affe169e93a,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e11483e4-7ae8-4eb7-b709-ed54a3b1d2ee,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33cf0e9-ab78-4cb5-8cf2-b251d39dca72,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f02469e1-9ead-42bf-a931-43f66d3e3f55,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d78df4d5-3897-42f6-a2ee-e6e9a20d94a2,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48f59411-afe7-42a3-9cf5-3b47bfa51355,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a8aa827-ec94-4846-9ce8-e338db5ee163,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a909b70-d21b-4172-943a-199bc3b6b694,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f90a010-d2fd-4115-84a1-bf0c68fd669b,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65e1bc1f-0b29-43f2-a61e-31e44253b85c,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a59b2ab-b556-4a63-8689-2ee44a9c6ee3,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43efea70-1f57-4c0b-af03-73775a9fdc95,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20b24cb7-459f-4748-bbe6-aca39a8b7a74,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f2d8f55-b02c-44ad-8363-ec797c5a3bb2,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2177bd-91fc-4cd4-bc8b-fdaa0b75fc48,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b441055c-badb-4595-a922-cc28a5112f05,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235cedb9-125c-4d27-8f00-2ced22f62255,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6452f7b-f434-4fad-af2b-b5a5f9f43ca4,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ea3340-69ea-4032-8f6a-b38ead03aaf7,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88d55b4a-32fe-465f-a1c0-fc08484beaf9,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b788c9a6-c7a0-4d6e-8ea7-f996c0bba95f,"4/16/2021, 9:13:33.127 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c623c05a-8678-4257-a39f-d53bf6203ee5,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d961fce-d783-4ca9-b4ff-2d346d1d2b32,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29c6e01e-511e-49a5-81d8-d028d8899ea3,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1a2e83-30bb-460d-b8a9-940bb9f4af43,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402cba6d-567e-4dec-91bd-f4a21598bbc6,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400f6fa4-a192-441c-93b2-1617ea25f1bd,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b2cbb4e-c9f3-47d0-addb-ff4af134138a,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd64a9e2-163a-459c-a75a-9473d5e0d972,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf5808ff-3dc8-4e5c-9ebe-f74a5ce1a6a3,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16606f65-707e-4b59-8395-015e6f5e30ef,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb14f0e1-7af2-4d31-89a3-e5c34a9b4356,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,33c7f790-5c86-4794-9011-0fbb4d9a9e16,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a4ed5720-e48c-4bad-aa79-252794df36d5,"4/16/2021, 9:13:32.877 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,33a0b12a-5774-4385-b6ee-816630e9f4c4,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b277f80d-bae9-4a66-8035-d886a91695e4,"4/16/2021, 9:13:32.877 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,17226360-f4b3-4a08-a831-e9ac51733b81,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11088 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6c920e00-d01b-4cc7-959c-eab1a0fc1575,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9440 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f3f5a211-18b5-408d-9626-f1d8b7c11cbc,"4/16/2021, 9:13:32.877 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7bc1c396-ac37-4963-9595-50208a27e843,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14476 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,aefba3dd-c763-4479-a8c7-01091a98fb2b,"4/16/2021, 9:13:32.877 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c44baf3-b040-42c8-b33b-d2180d5faf9d,"4/16/2021, 9:13:32.877 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cea93236-d049-42cf-9094-780a1c9d2b71,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7dcbeda-b0ba-45eb-8812-ffb9fbe627ea,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,908c53d2-3919-43be-b9f5-2a827bdca236,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4305f2f-cd60-4bed-bd09-56a0d08b13ee,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10e478c2-55d1-482a-bf1b-005c15bf4aab,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6de827e-0e67-4f0b-bb93-ad783d041e19,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c04710d2-f9d1-4360-b6b9-beefa3e3c28f,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6aeac17b-1b1b-494b-8029-f6ee36da8990,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2bd7d47-3b43-4090-b5f9-8aaa133947dd,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09fec6b8-ee32-4148-8e0a-af71a0afdc85,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8e87479-bc36-4c6a-8449-7531c785578b,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72274ed6-b9e2-4d38-97ef-159516cd20ed,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\STUDENT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f00fba3-02a2-438d-843b-b5ed97a7b819,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,817514e8-3b9c-4ef3-9ff7-601a882decf8,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51a21111-4710-4dd2-92f6-761608f1b6f7,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e241ade8-22ad-4bc8-b3a7-6dacbe2c3e27,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4670cfe4-19c5-4ecb-83cc-a2d43837234a,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1373f90d-cf25-49bc-892a-72c4cd881258,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b328c4e-d159-48f6-9401-9cb1fb6ddeeb,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,769be534-dfd1-4ea4-b2d8-a56c2cb593fa,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01fb237a-e569-4f9a-a74f-560cd2e95952,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d051639e-2a3e-4c7d-a58a-8b6641c08180,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e63b1a1e-9492-4568-92ff-e1850d531562,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53838d18-c0bd-4b94-b9dd-374b0f3522fc,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7c41bb2-679d-4a4b-82c0-ae17aeb5b16a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1869503-476a-4e49-9c09-574571da01f6,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f56f6d-f35c-4a4f-9d2e-a8924ba91617,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c20ec936-0933-4891-8f8e-26b7ef13584a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d33c4135-fbd4-4b1c-b0e7-332a2109d660,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caa53b14-e46c-4ac7-97cd-fbf0f0f3d3f4,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\DB2ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b895cf01-6f79-4796-a27b-20d956c420bd,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddce614e-d17c-4e9d-99a3-8a971f683e89,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f89331c2-7aae-4bfb-b40c-8033f000f76e,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60189fed-b1b6-45b2-9d98-45e77185a8f3,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd363d23-dc27-4aa5-aa32-d0343b65535b,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,108948cd-ef61-47bc-88ff-6fdbb8f98b13,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8769f889-ef4a-432b-9fc4-40177e124ab4,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64db500e-e9de-4fc2-9c58-0e022d5b730b,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,089ade1b-0f47-4317-8ec6-6878b7081ff2,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5e19eac-c937-4a58-a9d6-c31cc13ef406,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20d96e25-4e1f-44a7-bd4d-f3c86ae44956,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99ac1312-7656-4f3d-b164-8c171f297f6a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c28fd87f-7307-44ae-88c8-4ac36612120a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76241684-6510-468b-be5c-ffdcee4311c7,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74254f5f-8c6a-488b-b3fe-d7b1a97f5d4b,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7befcf45-f57a-4364-b550-d924da1081e7,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad15b20-1e2e-49f5-917e-873a7c55b36a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2f41013-933a-4376-88db-812e3a1e7c27,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12028 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2a2b423d-6bc8-42f4-a668-79988922ea12,"4/16/2021, 9:13:49.277 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,083e7000-8297-4fa3-b928-70aeae1b62c6,"4/16/2021, 9:13:49.277 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13048 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,90934290-9a8c-473f-9702-70c76dc7bbbc,"4/16/2021, 9:13:49.277 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3fbc7d23-fe42-4d4f-82b5-a7213dbe8dc5,"4/16/2021, 9:13:49.277 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,680e52dd-55c0-4575-bf2e-4a0f31a972d1,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f5b7ba-8672-449a-8551-87cdfcade7e8,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc53dd7c-934b-42a2-97bd-0047a8b8ca05,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0047ab2-7a08-4f4c-afa3-df4119eefed2,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa8179e-0865-4acd-9617-0ba3b0df9bd1,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a27678a1-a29e-4b6b-b832-00a37886dbd5,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0bc6527-22a5-4370-bea0-25ad7a53e776,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e68d6bc8-84c9-4e81-8797-513e65bdd9d0,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78238de2-a08c-4d54-abd5-5318ebb362ff,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46a6befa-8604-4028-a0d4-5eaed7717e56,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac5a04dd-177f-4bcd-9abe-c587f0b2898c,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5fafd14-8b0a-44cc-9479-70274707022b,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fd84af8-23dd-47ee-8c38-99f9166757d8,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b944fa-d3a0-4d76-a7f3-1f9e45b76b67,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a217d88-bf64-437a-9d29-f3f25611f5d1,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12377a05-c78a-46f8-882f-d1aa1cc314b9,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96ce4985-0a72-43cb-ad74-cdc49f5da1cb,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab6a808e-f2d3-4251-987b-a0ef5bd2e1e7,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df68c197-0c77-4fd1-bed4-1fa590b30348,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b658c2b1-7603-4628-a18d-02ee8aa22bea,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dd1a434-5757-41dc-bcce-4800102f2dbb,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d074eeab-4fbf-4334-9573-b8a1d6389bf7,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,283bf05e-f323-4d70-af15-9257e36df904,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43a5e9b3-92d6-4da0-a8f0-bcf985d715da,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95101187-4aed-4cff-8e39-c42ca2409171,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a524aa5a-5c97-4065-8974-6ee3c3618d01,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,54ae3c16-5893-432b-9d29-fa5f0b7cc8f4,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,175acefb-c548-4e55-80e8-67dc536983b8,"4/16/2021, 9:13:53.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,17af1465-5c51-489f-9a67-19238b90863d,"4/16/2021, 9:13:53.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5eea316b-812c-46e9-b6b3-d0c18d983f43,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a6b57d37-8e29-4a53-83e2-0bf2b943876f,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,756471b3-fe34-4a1f-8e36-304517691e4e,"4/16/2021, 9:13:53.063 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5704 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4da0e3ce-45a2-4757-95a7-591053726bfd,"4/16/2021, 9:13:52.727 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,25890328-78bf-4db7-9618-072820027356,"4/16/2021, 9:13:52.727 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2fdf2a6f-b920-4247-a784-09dc444de3b8,"4/16/2021, 9:13:52.727 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,384cf224-808b-46c3-97ed-b9cfb23c8374,"4/16/2021, 9:13:52.727 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9664e217-740f-434c-974a-8f423a34047d,"4/16/2021, 9:13:52.727 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2f950bde-7282-472b-a401-9b685272c7c0,"4/16/2021, 9:13:52.727 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d63dc36-f23a-4d1d-9cb0-08c1637b1228,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,858346f8-2763-4931-a01a-efc257febe34,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ae18f2-3ce2-401b-89b7-9bde4c09ad34,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65c0b07a-33ec-4a2d-b73d-aa648bf86817,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ebefe0e-1481-45d6-93fb-bd655b12a47f,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4cb6c56-63de-4785-901a-794fca799920,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00c294a5-9bf7-44e5-b3a2-cb849055e4dd,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78cf78d8-9439-4a4c-ba70-114cc26a98ee,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92ad2694-b0f8-4d2b-8db3-6788d3d94477,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61de34c6-7db6-4913-a975-312c427f1b24,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c14cab9-6afd-42b0-a89a-22b438b9169d,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaec6d77-6565-486f-a9bb-fb75ff3ab3b7,"4/16/2021, 9:13:56.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31f63db-759a-4fbd-96fc-0a56604c7a64,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca078aed-135f-40c7-a0d3-7daeab6180e9,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 428 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e221f1c1-d3ae-4209-9bf0-40de20155f0f,"4/16/2021, 9:13:56.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,074e4f7a-3492-4297-aa8a-aa8d3adf4721,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34210d92-5a7c-4cca-9f58-d47e79b5038d,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9598544e-3615-45d5-997b-ca137f21ffe1,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,199ee7ea-c8b7-4e6d-8519-7388ccb94a3e,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\BODEGA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9a2bc5-2bba-4d1b-94dd-073436386b62,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43cf3e76-01f0-4af7-91a3-0f9493d0fddd,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b43be99-4359-485f-8307-261a69e50eb2,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c16fd670-3023-4096-8840-5057bb3cc0d0,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10720 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a39161d7-b436-40b6-b867-b159c2d22255,"4/16/2021, 9:13:57.000 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,963a9059-d793-41db-ae79-a309e0627211,"4/16/2021, 9:13:57.000 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29d496e6-8736-48fa-9b4c-facd5b41a9c9,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b99110-dea7-419e-9a8c-600d578581d9,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2436ab66-c5ae-4323-844b-29ac4ca09a18,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7028d34b-3737-4146-bda7-3a5807a1766f,"4/16/2021, 9:14:06.126 AM",,,,,,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd3f9800-3135-4f50-ba62-8c502f9bfc99,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f157d055-4ad9-4875-a800-d68d1c302eb8,"4/16/2021, 9:14:06.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78fd8e83-102b-4b99-9682-d45ac992a988,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5188 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,628b9ded-6976-44a0-9a64-fa9f0671a96c,"4/16/2021, 9:14:06.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f800d72d-7917-496e-ae58-9a0a74797edc,"4/16/2021, 9:14:06.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a19545e9-9c0f-4d88-ac56-ab4422855faf,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab86338d-3c0d-40f1-afa1-a844697c55e6,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d04f7b5-5823-4a19-a84f-c464d7db4fb7,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6945078b-d022-483e-9f09-b703a7309ea4,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a0e3343-0dd1-432d-9d33-192ca4d1e812,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b163ea6a-134a-4ba8-8eb4-fafad4a0d0cb,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28deb7dc-8af4-479f-869c-4744b53d20de,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\SCANNER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9697f51c-516a-4aea-a01d-475772a6c4a5,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d541cc9-8526-49dd-a3ea-7a19d25dba94,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c7bf0b6-0cc9-4407-8aec-593940b717be,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c183cba5-36be-4f06-94d4-44db8807efd5,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93affa63-a986-4e09-8cea-bb66aab8b4ed,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f745700b-6dcc-4876-99d5-987097468d4d,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccdd6cb8-9ad6-47c5-a8f0-30dbe0a2871d,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,02d0c27e-362e-4b8b-9b4b-3e5c24e12e7c,"4/16/2021, 9:14:06.603 AM","%%5649 ",0x2,-,-,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2744 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3864b632-187e-4120-aa95-890aef170289,"4/16/2021, 9:14:06.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b7c39238-9996-43e3-8c30-eb504863b1c8,"4/16/2021, 9:14:06.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,197caadb-aadc-434a-a3a4-7ca7767ce36f,"4/16/2021, 9:14:06.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9712 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,eeeb1b62-421d-4202-aa88-9ed1b393f9a3,"4/16/2021, 9:14:06.603 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,797992d1-7744-44d2-addb-6a7518b9f44e,"4/16/2021, 9:14:06.603 AM",,,,,,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1739b5e-1bc0-4b39-9868-5d6e4c63c70c,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ce9d07a-d105-4430-8690-5b9df4beff31,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ec709ab-59c6-40b8-ac91-4b8f26abe6a4,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42850b6f-3c6d-4070-b9fa-29b94eff99aa,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55002199-0030-4b24-b4da-60459d8487bd,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f96a08ad-66b9-4472-8a90-1a7a8159da04,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8a68f3b-e7c7-4503-befe-b0fe6ed02242,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58b1685-bb0f-48a5-9a3a-c9dac9662eb6,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4880994-4946-4929-94e9-1a0a4832a185,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\SUPPORT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b9b07a1-d2bf-4aec-82d4-8e0319ce6295,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\OVN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45e5f1f0-27b2-4b83-9535-af0cdcace40d,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acad2e0-d9ea-40c9-abf0-0393ea4b1f0b,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3084d19-ca85-405b-8fe3-e8f6f0e7c7a7,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8954ffc0-cc54-4f10-a868-2c3c1be734e7,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81291813-15d3-4154-9c33-191c89dc2950,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75619dbc-06e6-41af-bdd6-73f99f9ca535,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9803b11c-e4b6-4960-b0c2-0c9bec8d858e,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c44bb3a2-024b-4d81-9113-9f2c58482cac,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1309300c-d569-439d-8ced-cd97ba0f5b3a,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14d9759a-f70f-4854-a485-dbbcc86f3f22,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d13254b6-27b5-4618-bbdf-4d134d4d9fdc,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,784bc186-c82e-4475-b09a-baa61cc37b71,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,860ac7b7-12de-4e0d-9522-0665852ecf8b,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,64ec505e-3831-4e36-8b3b-dae333b316ef,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,110dce4a-6e73-4255-99fd-431c276c3ce2,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9d6cf58-fb59-49f2-95a4-7b4906e37422,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a2f6dd37-2cbe-409c-86c1-721b44326e10,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0b7c763c-a9b1-4117-9989-e0b7a448639f,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4b842492-9416-4597-9de7-d24e547cde81,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cffaf9d3-c5f2-43fe-8a04-3a57407998d4,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4084e165-394d-4dde-b774-f407849c8a11,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2663ca04-3734-49d4-9c5d-ec6a97550bd0,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,822f1569-fb4b-4439-af46-2545da235cef,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,76251c4f-6fb8-42be-b641-5ad7aa9bc080,"4/16/2021, 9:14:24.118 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa4a2bd-2be7-461f-beec-68f875c6a62d,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81edb629-c155-4ab3-b094-f0bddcdcdf62,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4dcc0a-e219-44ec-ae52-216a8440613c,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e54442f7-9956-47a3-9b89-032dfa6f8e08,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbe0e089-dd21-474c-a9a0-021e82d73110,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02be946d-0047-4d02-a9a1-eebad6ed7757,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73bba9fd-75c1-4c22-a542-4dcaf9b341eb,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba3175a3-f351-4a91-8ade-96f9eef9aa23,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5453d817-d772-42e1-ade1-fae0e923e410,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5b40cb-5c62-4888-8359-c75dbfb488ae,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8947f5dc-f1b8-41b0-abcb-6098b0e67bf4,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d7a63c-2879-48fa-959c-f549a681bd91,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6291bd2-ee1a-476f-95d1-eb5ab54152c1,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49ea0ae7-6450-44ac-8a72-4fe013b7e11e,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89b48f9d-f150-49b7-b902-f3f8a4a9099f,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1406994d-564f-43f5-8c2f-bec781fc3295,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e39d6104-1f10-4e7e-bce2-f1137c911f1f,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c96051fd-fd03-4652-b3ee-591c097ecd5e,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44565af2-e4a7-4557-8fc3-f4d08c3b9c61,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3cf16ef-fac1-49c4-b3d1-4459c8bb2c56,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48fb178e-a53d-411a-8858-c4e53d2dff42,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,376657a0-7807-4f38-8b97-e554c15c1443,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc0bf3d-0b9c-4435-84d8-7a4cdeb24aac,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca83b0ab-2dc1-4669-b270-2cffe3cafb0b,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e889fac-e45e-4fde-8fee-cf64f2fe67b2,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2772 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,422b75bb-a132-4603-9c8a-1b6095cfcf9c,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1287d147-dcc5-4d85-b428-bb1120f0a566,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7876 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,02c2d8b5-3fa0-4011-adfc-eaf67dbf199d,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7404 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b17abdf-627d-4081-87c1-ed56f51cb672,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5304 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,94180f73-3291-4a70-8e7f-3d2d95f9ccb6,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7008 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,07365176-7e03-47c3-bd1a-b0a26222cede,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bd3acc77-7e79-4da5-ac07-ae91eab00408,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,926cf7aa-6ef5-481e-a8cd-b5e471159d25,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d67daa9-a5dd-4fc6-9b91-b4f9e660a338,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a06f5ae-7dba-4e4d-aea6-16a7314b5cc4,"4/16/2021, 9:14:38.453 AM",,,,,,, +\LAURA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68faa33b-bd52-4473-b443-433836a2c11e,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c852277d-7489-4b20-94a6-1df8c07e4e83,"4/16/2021, 9:14:38.453 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b11177b2-e0bf-4b92-be90-9c026a4876ed,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\ADMIN1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b00e162-e555-4df0-a419-48a953165a34,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\LAPTOP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b7da7234-5efa-4e91-82ae-a100b8d5e535,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\SCANNER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c7893f2-3271-4ceb-87cd-2eae46273ac3,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a3a37b3-cd33-402e-845b-e75813bb36f0,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c981621-8855-423f-9b70-12d6235a88e6,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,835be4e8-cdab-43b5-97a6-4c7e581a93f0,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\AMANDA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bbc215b-8528-4921-9eee-79aca8f37f44,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d71bcfba-55aa-4678-87b8-caed199e78b8,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cffa6a77-16d6-4d21-8da7-06d174c817d8,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa15cac7-e8ee-4229-a072-8ec4353bf95b,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee5d86e-6b8f-496a-9646-886266dcbca5,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e54c9b39-527e-47a4-99d7-bc644b315f4a,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c221ae10-49c0-45e2-bbd2-9e56af9804ee,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,702db224-8e6c-4c01-bfa4-f5dc2ad1bee7,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c740851-b4d1-4a55-b9e3-cfc57f8919bb,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc6b3be-cd0a-4399-bca3-bdecaa35a2b8,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19f596ec-b598-498e-8084-5f796311663c,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2518cdd4-cfcc-42d4-9f02-6fdb75e3b578,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adf0a6fc-3de5-4ca2-bc69-ae52b2b02234,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0d11968-ed6b-4d34-bc44-91953b587d1e,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8433f75-0093-4ce7-8b53-4d80557ed2ee,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a32a269-1367-4773-8165-b222d0730ed2,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4afb8171-dc82-48a2-8c64-196f747e3718,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033e1a5b-9c25-4c18-b7d5-1bc988ec8273,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,021c3f31-8946-48a8-99f2-df227dcd3e31,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7e5dbc2-c815-428c-9cc4-52984182f517,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2fe2492d-e2fd-44e1-8872-da70eedcae3f,"4/16/2021, 9:14:52.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e6f01b26-80d8-4b42-9cd6-f4e6a7b33bda,"4/16/2021, 9:14:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f278c156-81d3-468d-b73f-66962deb7d95,"4/16/2021, 9:14:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3809fbc1-832d-4257-9b39-aa4eb044ea3a,"4/16/2021, 9:14:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7f65ad0c-ae92-430d-8b2d-f7a9eeafbc1c,"4/16/2021, 9:14:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37a73572-b538-4b72-bbb5-6f77eb352e05,"4/16/2021, 9:14:52.729 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,949cd0d4-8765-4ffd-ba41-38cf0e3a067a,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd1d4726-ddea-4e37-ad07-bd248005dce6,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeecb775-e015-4303-981f-99407cedff66,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcbc4f95-ec15-4aef-9cfa-2400095a672a,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9589af0b-a889-4b00-bf05-c1905a156b65,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57afdf1b-3fc0-42bb-821c-f8ed3253970c,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c953b4f-1b90-4b62-9879-cc5d3ee7de89,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\ERNYJONES75,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,918d9315-07d7-464e-b133-e0eb5de82010,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09556fd8-d49c-47e5-b99b-f006d608c562,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\SALES,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b98b9878-d140-4033-998c-73437ff7a818,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20aab48c-6c99-458f-a1fb-050a7cd00f34,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,504e49e3-407c-45b4-a321-a17237553c9c,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c600ee1b-1b98-44d8-8b5b-c5d973005830,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdad0b62-df3f-4257-8612-af22cc1c6531,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b25ab34a-cdc7-4faa-b7af-83e1a8b63a63,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d51835d-a865-4e85-9dcc-27f698a30f2b,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ec26c9e-5c33-4353-a547-14bb7bc97e65,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86883163-7e0a-4dde-96aa-791f3d936c05,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5aa00b93-2b0a-4400-a932-a8b51ca1e1cf,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36e53ed2-5987-4505-a840-c79a4ae61df7,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,983617b1-5f44-4182-967a-5da98b2c1359,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b68eed72-649a-4e8d-a6df-da16c5c9c472,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,504cf874-d950-484a-9bce-683eca3a77df,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e0746415-87d9-4abe-bff4-387e6fbd13f8,"4/16/2021, 9:15:03.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7f52e161-ec56-47fa-a48c-5dff1abeb35e,"4/16/2021, 9:15:03.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,b22af77e-30dc-4a63-ae3c-30825d6531e2,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2a9a36f7-21cc-4461-97a4-bceecbfff837,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,efa49ad7-286f-4a01-b33a-7506987b57d7,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,318872af-c193-4bb7-a28a-5518659a2990,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26c82514-aa4a-46ca-ab35-9138c85baac0,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41316cc3-fdde-4223-98d5-eb6b5499136c,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,45ce4476-3a5f-423f-9cf9-eaa7e4183d26,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7c8e32f8-54bb-46fa-94d4-77a5e0ce0147,"4/16/2021, 9:15:03.061 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6783f7e3-454e-4ba2-8ada-4b61443eff88,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8e0576-ba60-4ec7-a982-9d0e9eb32d2a,"4/16/2021, 9:15:05.710 AM",,,,,,, +\A,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e6715f4-d34d-46bb-a293-0c653aba5355,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0cd1642-4eb3-48d8-b711-d7869318c510,"4/16/2021, 9:15:05.710 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63d6e5a5-bb18-4579-bde0-0124a7a9bf93,"4/16/2021, 9:15:05.710 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04385f1d-814e-4721-9adb-acfbfd43dd6c,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,791920e8-0d4f-4ce8-a90c-75aea6436425,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed66dcad-adda-4389-aa3f-d41b546eb27e,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80d32afc-b199-4e30-bffc-c712697e65ad,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c108fde-9535-4c77-a968-ce80719e96c3,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16eb195e-a33e-4bb5-8158-857535d22668,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,705bd659-9958-4bde-b8db-4a06efeda857,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce4e2b70-9a18-4a56-af83-52ba0e62dc2d,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4435453-2186-4f0a-95cb-67dd9813ebc8,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25aeb1a5-106c-43d6-9221-db89a5c969ac,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf9db08e-ffce-4d41-bbc8-aacfbf152d66,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ae6e585-b0dc-4632-a88c-de0a3f27db7a,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7913d863-f935-40c8-8abd-abb860740d6f,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8b7764e-c471-4f99-8d1d-eaf62abec2b5,"4/16/2021, 9:15:05.710 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33a15336-9bcb-45b5-afe3-3a7038df64bc,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,205febb0-dc56-42ef-9795-edff97cb08ab,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db1f6461-88c4-42c1-b36b-f1a4baaee2fa,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\PRINTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afdd1091-b1e8-4ba9-b42e-4f7ccfaa8774,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcf58e23-d5bf-4ee4-a738-c9f9a4fee1b3,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c467de19-029e-4d25-88a9-9618157c57a5,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfa36de9-c26b-4426-94a7-9ec374b8ffda,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,740e5a28-30fc-4351-bff8-d87b9938e104,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35f69336-d8ff-428d-8553-0be331019fd4,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a473d666-93cc-4c29-8e93-37d6709956a7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d403dc94-abe6-480f-ab20-46ab1eb1995b,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcad2a6e-d5da-4a61-9eea-6b3512133058,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67d4dc55-beac-4a80-87ea-8b90c55b7b19,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9acaf1e5-a29d-47b5-8c8e-a4268e42893e,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c04b224-8696-4ae1-8ccf-4d857eb18ae6,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab178e97-a6f7-4efc-bdac-3c78141d2c59,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b8e04cc-fe74-43c9-ac65-22b6be213f80,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f56209e6-7bb4-4a5c-88eb-6ece0087e2e7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fe6bb28-3ecc-49d1-a411-494ef88d9bea,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f0c77fe-8556-4af3-aeff-dc2a8d7fe0e3,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a991c69-92f2-44fa-8fdd-a908df23301b,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5dd7c5a-d02b-4fa0-ada2-aef4fabefe69,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216b57bc-deae-42b3-ab30-d67718dc49b7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cd1fb7d-bf3c-4066-9318-e19c4e2a92b7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de03ffcb-7922-41c3-b564-1bede23deb16,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c0ddc18-302a-40ef-9ff3-74fe434b28ea,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd4c692a-2d54-4d31-a3ef-0bf76afaffbf,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d810a795-f563-4172-8378-6f445fe79521,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56fc76d-b8fa-4fbe-bcbd-0ee5dd182a8e,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d066f72-6ea0-431a-8cfb-814c5fa3e28a,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8c26a1-797b-4505-9717-1ac0a964eea6,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c679fc8-cb72-4021-bc4e-0d5a3fa15dd5,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70c3dae3-1d9e-47d8-894f-b479936b909f,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8d12616-7533-484c-95fe-e0045caffaa3,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7311fd4d-51c4-4d45-bf60-a517502f6b47,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df78c64-b1e3-4582-9d84-9339f512061e,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6507e9df-b5e4-430b-8ac1-5bdc412e4820,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd6044b6-8d70-4e33-a39a-770df3e8f38e,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,615dd499-8f56-4108-a718-9f41ebdb69ff,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22ecdfb2-0d42-4aae-9ba5-80ed4ef3a7c2,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87a88bdd-c9d8-4ea3-b28c-6c393e26836d,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee531553-569a-4a9a-8e7a-867399417999,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3274f49-e3a7-4839-8bfb-c6cd65bdf8a7,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a579f241-e192-48d4-93b6-3107f21adb91,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d9f4dd5-030c-4194-96d4-2f47e11a0374,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa0ddf24-5c13-4b02-b9cd-f39b326c8233,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0083e69-c08a-4c81-bcfc-ba3d341b5f81,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dce7e89-0802-4bd5-8ee7-fc8b1c125825,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73885f23-69c0-48e0-8e0b-4b5f682f3a6c,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,413d0065-f719-45b6-9403-646297195557,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e0a12e4-57af-4708-80c5-fb17601a65ad,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad99f894-1bd8-4013-aadb-7b6aeea94afa,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7eb7cb1a-d676-487e-96fd-bdcf4262a671,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e24668-9d23-4aaf-b51b-2116edfd1c62,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d61d137-c39f-4957-93e1-933b18ac6a35,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bba8e15-8199-4c6a-95eb-6650a3c8de31,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e4c8264-9110-45a7-adaf-eade8e118cf5,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,264346be-f988-48aa-919b-3dfd0a04f68f,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7716d353-680d-43fa-b016-e0a7826555f7,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e065128-0215-491f-bfc0-bb318c20f5f8,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23788b00-39f5-4644-a1ae-45556f708ae5,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89497999-b0ea-4939-82a8-1a4ddeb21aea,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48b0e7f4-57ee-4074-86dd-e0a9baa7481d,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51de1f6-cdc5-4784-a3f2-f805b887ae11,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed454367-0781-46e2-ac2e-f2310588f670,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0b90f57-d8df-4489-b686-6d0626e6c102,"4/16/2021, 9:15:21.127 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ced2b9-0ba9-4766-bed4-7fc1dc2ef70c,"4/16/2021, 9:15:21.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b58c886-1737-42e1-9c43-104487bd9ac3,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8138a9fa-0283-4187-9cc9-1dc55df0073c,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8520 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,725fea40-6411-4a3d-b5cd-376bebb3a6e3,"4/16/2021, 9:15:21.127 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1780 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ebfbd45-2ab7-4efc-b474-16314f1f2e25,"4/16/2021, 9:15:21.127 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb4224c3-6974-4de2-92d4-4e9919a8f63b,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dca5528-2372-4eba-8911-395c70f0353a,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a1d5eea-59e5-491b-9484-be48b226f7f4,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1a732ce-cf41-4786-aaf6-ab951030d3b7,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\CRESSKILL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56e18c75-ee24-420c-a26b-ccde6adaea80,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3020c860-95cd-4326-94a0-bdac8d3a2724,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7794b4da-ab3f-49cf-b5cf-24b9377c9f02,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b7aaec-f2ed-479d-875e-ba7d479a4f21,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29b96507-4a6c-435a-95b3-19ec4b93b302,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56fbae52-2833-468c-bf27-4c9eb3b4388c,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59e38e66-d41f-47fa-8113-435572aa2b43,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1504cddd-52a3-4273-8985-964ac719818f,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0090f31-cb38-4628-8272-13a9d40f7474,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,164971d3-db2b-49d5-bfd9-1a954b04eacd,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aab58a11-296d-4373-b54e-3797d29c68c0,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df08cb27-81bf-4323-8299-aa6ccd1204e5,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a83359dd-59c1-4fce-b802-8985d79e377e,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,168b7688-4c85-48ae-8117-a79fb3e041a8,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,948f416e-abe4-41fe-bd45-e16a3e65bdb6,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1066bf5e-ac22-405b-9205-b6ec110345e2,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dd38a20-1f6d-4a4f-afbe-bf569e041879,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acbdded1-c6cb-48ab-8b07-2e2d813a2608,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ACUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,449d966d-8e53-4c30-96c4-8a975db73aac,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a957549-cedb-41e7-bae9-36be2db6ef47,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d037eec-1d54-47d5-9ec1-14771b378483,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc88aad-832d-48ee-ba9e-2f975b502bd3,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c3973bf-a48a-4ccb-9b70-b2f31ad3a58a,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,542d14c6-61da-4229-873a-9aa802aa6bf8,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20332092-e7f1-4acb-9d83-47617ca35839,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46d63d79-9b55-4553-857d-567c0339b4a9,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c5108de-fce9-49cb-9192-943295d64d6a,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66d3cfbd-8817-43f1-a2bd-f2bbf16f5fc0,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7608584e-67f0-42c9-9cbe-b6d4b4b11b55,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,c66cebe0-0b4f-48f4-a601-14d9f190ef25,"4/16/2021, 9:15:38.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43176116-fa67-483e-baf8-18119b640157,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\WP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0721f2f1-1612-4b84-af03-0c7349eefe39,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b662bab-d9b7-4c0e-962f-0390e358ce4f,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8379e4c1-f29b-429f-abd7-874aeef98d2c,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ecb0dfb-d368-4af2-ae2e-f5af563b7cf1,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8abc178-3c06-4898-b9bf-68d96fd2e836,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,288e3033-b4a1-45f1-b9ea-306054c4ea4c,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fae65cf7-9174-499a-b3aa-f93232c30b41,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\AAUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cdbc56c-75a2-4a36-bfea-197d90bc5a32,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2321995c-0ce7-4b83-972b-72b9f1404636,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,568a5c62-af98-4845-a7f1-bc458a62d2a8,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,003ff8d2-3a40-4458-aafc-1d240e79a820,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00e0cc0b-96f6-4844-9fa7-31d1fd34d38d,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,136b6c1f-1c92-4de8-b202-61c50c566366,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e68f238-64f7-40a0-87f1-d25378dc61f3,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c451ccd-a97f-4f94-b00f-8a16e1146b5e,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,577ca4ed-2b57-4add-9997-e6257a8b1d7d,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e817b3e4-91e2-43e0-afb7-846d97d28940,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb9871d0-bfd1-4a45-a662-bac07c6186b9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b098f0c3-0759-4b90-8b27-bd3a0a37d5a9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2addb6e-0a34-4f64-a49b-db4fbc1e8432,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8148852a-b89f-4971-9e1e-505ece41a764,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7120358-1bd8-49e3-8f61-a94a93bf5939,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf439c26-700c-4541-aa08-910b75c131bb,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deeb99ac-2ad5-4e6d-a149-176a03743860,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11ef0c92-347f-41fe-914c-836089726034,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f7a5f22-1a53-4050-b115-e3b87a24aec6,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a6f3385-6925-42e1-b41c-a77aebac822e,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5cd1fbe-33a6-43f9-ae47-6d00ba015ed9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e1e0afa-9ee8-4d6f-a52d-592f7477db4d,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f2c38e0-9d35-45df-b987-6ef6691c5bd9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10cb97e5-2ed4-4376-b01d-273cdcd4a6c5,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1e2ae3d-6fa2-413c-9979-d8acfb252e0d,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d899c4f5-a4b2-4b55-906d-dde64ce85664,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0d8da8a-a0b5-48a0-9f81-29aa93d9413c,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c381f032-9119-41aa-9263-aae5dd3a5917,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d975a167-16d7-43f7-9317-51a062f995a0,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9148739-535c-4b99-8bd8-7fb40531c250,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02b0fd83-8be7-4bb1-8daa-fe28072ccada,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c087a8f3-67fc-414a-b925-5fc5672255a8,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4a27f99-3606-46b4-9186-72f304f66258,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b6e122-520d-4744-97fd-876d9eacfaf6,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f111c0-ba6f-44cc-be5c-9260000e9a3f,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97d8800-d21e-4b09-bdb0-f0010253a093,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b0146d5-c76f-4b90-affe-bc31fdc7e427,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a705a1d-a78c-4776-9d9e-e41a1ebdc668,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12853d03-e3d8-4740-8d4f-f24f570e6f70,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,914c7e08-fcd0-41e9-a3ff-95cf0b544b8f,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faacd5a0-de6c-4510-b17c-f6d3362e9df8,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,355e5fa5-0177-495d-8b46-530b7da11c3c,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dccd7d78-5b4e-4aa2-b5cd-0c45ffa16937,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,559ee6ef-c4a5-43d4-a5a8-6889a841d7fe,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffd96160-9254-4f14-9686-b76f6b3f41fb,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c76325d-ee68-40c4-bd45-c9c85a0cfcdd,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5976da11-23e6-4b7e-8018-25bff9693681,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b95da42-0cd1-4323-af71-4b209c930c43,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31969c44-a6fc-4a0d-8cfa-33c99f7140b6,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9a69f7a-21f7-49ed-9f0a-683290dbfa1a,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0bde656-7a8d-40d4-b011-a8c3c5fd4c92,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31682c78-fb78-4262-bc8f-983700ad9cfa,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33aab45e-b26e-4d4f-b71f-c37d90055339,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daac3264-8223-4bb2-b168-e70c358f9466,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7bacb9a-51f2-44ce-be8f-a6b3f8c5e056,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e59714d-0e58-473b-bdf3-d13f00b13373,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a018a08-7dc0-4801-a33f-cc8c5885f93f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c343f938-b20c-4e1e-996f-93a298cac6b2,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4c03cc6-b77d-45d6-9995-4a3bd6b5a58f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98c90cc0-ffea-44c8-b5b5-ecd754e10872,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d698e0c-d563-4fde-a8d8-b16e1a7354bf,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f533a7-4142-4409-9b73-88d90a504cf5,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf22632b-59ea-4a2e-86f3-b979768c5acb,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f2b07fc-288d-4882-8d75-a6ba8b2a36c0,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b4d753a-50e8-4f91-9052-6b9c69e31f98,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ccba23-4136-4be9-9b6f-d6cfa64b94cc,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c183ee4-8c5c-441b-ac51-ce76c9cec012,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f00bc96a-8695-4fdc-8754-1df71f2fbd65,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83f20b7-716a-4a54-8254-b1e81b252900,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ec7cdf-618e-4c73-be27-c3f614bd5199,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,066531b6-d36b-47cb-bf3c-60c8af6aeb0f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ef40cbc-9752-42b8-a544-559dbad8ba3f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b055476e-7941-4430-9626-1ad24cbe8d10,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff42c9ba-2429-457d-84d5-71eaeddd2212,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff59c467-debe-482b-aee7-9ef1fd43ccd9,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,856d88ac-e1ca-42b2-9639-4dd6f17445c5,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b6f438-4964-4ec6-aa00-06911dd64dfa,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51c98aec-99bf-4aa7-923d-a0f49452a61f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff06761-4603-483a-adb9-0ad3f808bcf9,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b768524f-4f18-4c28-b8e7-8449f6c27eae,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fc6c680-a365-4f66-991a-6ef98c8761c5,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14d27808-b3b3-4391-ac35-5e50c873605f,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06f0ad1f-e3cd-409a-ae12-9b433000dbcc,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13dee330-925b-4af0-ae39-5776618c1e58,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b274c33-66f5-4db6-8c9c-6695494300b7,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,722f7f52-0fc9-40f6-ac9e-a0445b7a2096,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,145c0b72-2739-4f66-b0a4-21eecd92add6,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b964fe24-3b68-4ebe-97d4-361759f74e6c,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d0e6f9-8359-4d50-be86-4f997e29b44b,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a7cbfdc-efa9-42b8-a046-c7384d569b45,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31f2b2ac-85de-42c6-bf94-8afede10f8f0,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35bc3b77-e9cc-43b5-bb7b-6f2c7fa72a0d,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73730ccf-5469-439e-8730-c9ed6824951f,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9608df17-f279-4fce-870c-172eec676b47,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43e01187-ba6b-41f4-a07b-5d78e819985c,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4282fe73-8487-4f3e-9e22-f2adb347d386,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ea7d259-bba7-48f5-828a-d57b85de8669,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbc3760-590b-4bd4-9498-0cb54f702be8,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6342edb4-9cb8-49be-a305-50d97eec5b84,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9af6c98-02dd-4d6b-9b54-c50583428449,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a247e5a7-4563-4818-9df6-b61b82518721,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,66ee34a7-000a-4d78-ad5e-c125f53bc15f,"4/16/2021, 9:16:04.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4742ae26-9845-40f6-9051-539fbc9b039c,"4/16/2021, 9:16:04.729 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3f8ddabc-29a8-4679-b168-47073c83267e,"4/16/2021, 9:16:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fe59a270-5906-4644-8ad5-7257a1f48828,"4/16/2021, 9:16:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,08789140-981b-41c3-9e60-e780133effca,"4/16/2021, 9:16:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8a04de1b-5604-4467-bd67-96fe5293563e,"4/16/2021, 9:16:09.882 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3566d089-4f2f-4f3b-b3ed-2cd6b932cfe9,"4/16/2021, 9:16:09.882 AM",,,,,,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f24a542e-4d5b-4a9c-a243-564fde758dcc,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6b85917-d1bf-437a-b6cc-156f674c3bbd,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12fe53cb-bb61-4c2a-9919-7af45356a464,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2cb7bc3-d64e-4f9f-8c98-b6f88cb1a8b1,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cda14a7-af8d-4b9e-beaf-c9373bc090c2,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0099a552-347b-4e31-8d17-cb5579167f16,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c82621aa-5966-4dd1-917f-c43232d4ebe9,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d55987-b583-4979-98f3-11f56f60fabb,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a6c994-bc35-42fb-a252-7dec312cff36,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23c08c0a-b53d-4054-a7de-cf72cbb963ba,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daf0eea6-dfe4-4446-80e0-88ba6cfb344d,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8eb6df2-7745-4399-abcc-663f58f2efdd,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14614af0-1d8d-4b62-864a-b2a5fbacdc48,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71840705-d971-406d-b845-575d981ad845,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,720b6780-a9ae-4118-bedd-fcc0c184ed3f,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ea966e4-47e2-422a-86cb-32f99df9a31a,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa66e4fb-89fe-4ba9-9ae2-3b2ee7780dbe,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbe8cb35-6a5c-4abd-84c4-b6aa18a590e1,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6213eab-e4d4-432c-829d-179ad975eafe,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847b2075-6f47-4e80-ae95-b6b08d986a39,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc367f4-d3ef-498d-a9c1-da06f89aa14b,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,45e56c9b-eb1c-4f7c-a063-05429feda5f9,"4/16/2021, 9:16:32.125 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbb0c48-d046-49f0-9547-77b6eaa05130,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfea3473-7930-49ae-a9d6-1ad0b3661e15,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15280 + 50 + %OSDRIVE%\WINDOWSAZURE\SECAGENT\WASECAGENTPROV.EXE + 32 + D9D6BF2584834D2A5C628EB1A641A9464AFDD6A134FD604DF5BB1FB0A4B8A411 + 89 + CN=MICROSOFT AZURE DEPENDENCY CODE SIGN\MICROSOFT® COREXT\WASECAGENTPROV.EXE\3.18.1722.00 + 0x3e7 + 43 + C:\WindowsAzure\SecAgent\WaSecAgentProv.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,feec217e-161c-47bf-bc87-d68316091e06,"4/16/2021, 9:16:49.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1832 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e3fd3530-4044-45c6-b51b-af932da75cda,"4/16/2021, 9:16:49.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3992 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,02007515-4a6a-4432-bb49-a9163ca02f10,"4/16/2021, 9:16:49.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10852 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e1acfb99-cb46-442c-8630-15239bebbaac,"4/16/2021, 9:16:49.997 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4799837f-af12-4b12-9077-1dce971f3a6b,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d1626d-3e64-4be8-addf-4655b4ab46e9,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fe933ca-9ada-4c15-b235-aa2ab078166f,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98839ef4-b42e-42c6-8ed6-c357e2ef199e,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bb773e9-824e-4a52-978d-fd613876ace7,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c3a070d-34e5-4e95-89ef-0e43eb4220d2,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fac3c70e-4bf4-4ff7-8f9f-673581ea3ea8,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b39f81c-c6da-470f-991c-dc6605174b70,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf467561-eab0-44aa-81a8-b1d910a71265,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cc2b315-2e21-40b9-b83d-42dac8e39e11,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3ba8bb3-2896-4dd8-960a-59dc54e852fd,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f23cb4-d358-4950-a64a-5b88b230948b,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36f67901-be44-4025-8015-ba596d800818,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\NICO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd3482ad-1736-4d13-a6a9-f1ba5ffe94f8,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15cac0c0-b1f7-4cd0-9166-af782e734737,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3523898d-124d-43ca-abeb-1fc1fbc06cb5,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\CRLSALES,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d2d4287-104e-4a93-89d7-481763954c1f,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfd2d3f9-80af-48b1-a3bf-c634410fa1fd,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,611d3179-c005-4248-9564-3d26b3e03965,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdd4416a-a336-479f-beb8-9bebba17c88f,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac313715-a4e4-451b-9dde-73821935c03b,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e12a2de-43b0-4801-aa1d-5eb18ed08eca,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5950638c-7449-4130-adf6-dba29cb65436,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,333a2a82-b59e-4268-9e05-c864a56de8cb,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552c0abb-fa4b-48f8-95cd-b3b174bfde2d,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4195bfaa-ba69-40bf-a735-447b27e1b452,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a690524e-0476-476e-8e4a-65deba6bea77,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b7117c5-a2a7-4947-821b-37d000829a14,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4948e35-eafe-44fd-8563-865cb87e6b16,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80edc59d-f9ee-4e6e-b0c6-14f9b3c8e745,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6da85d67-2482-4db7-8632-7ea45fbe7d98,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c575c94-f1d6-49d3-b107-babaf11b9c1c,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e56c365c-d698-4465-97d7-e72c826ddd2b,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2efef459-bea0-4f02-94b7-eb1835ef0c3f,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,865fbce0-674a-4de3-811b-666c84f733ee,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a0d09bb-9d67-45ad-a2f2-87ffa8fc2c51,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e86489f1-1421-4c84-b14f-e706d88ff463,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26949f48-ac61-446b-af67-d8b642c43c4c,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1265c619-dfbf-4556-b27b-814d468ab3d7,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b09847-2c35-434b-91f2-ce3059fd4a0d,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6ade599-2603-4213-a140-a056cf91185d,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa3a190f-c2b9-454f-b6a1-874f15bef5c0,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f67f34d4-b28d-4c87-b614-b351675afb88,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84db4be1-500e-4d3b-b3fd-955ee43e9fda,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e20c42a1-5327-47c9-9d31-f5412b21a0c5,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88387d12-d768-426d-ba6c-898d9466061e,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84af25b2-538d-4690-9d48-8383627aabed,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,933c620b-0c19-4fe1-8a74-898522a6e9a0,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27d4a913-987a-4297-acd4-139ef473db20,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fe6b6d4-4b97-4ed4-8452-cb4636734f87,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,681876b2-834e-45c7-bc5c-a27437102fda,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6153812d-9e26-4003-9721-f309ade02cc6,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee91109b-45ef-4c14-a182-4ade6053f6df,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a1bc966-aed3-4293-b3e9-53db250ff72a,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e180fa36-690c-4cd8-a2cf-07be8f74ba9d,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a500eb43-3d6c-4a6e-b96c-d5c6e23c443a,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58c6b9b4-4984-41b7-a691-4d5271aa7972,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb7aa57f-f801-49da-9bc8-1c1347fc592a,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,606b270c-43f0-4d42-8e37-7270101a8287,"4/16/2021, 9:17:35.128 AM",,,,,,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,544fe875-8dcd-46f6-ac12-e8b25c0c8416,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10251e47-700c-40e5-9e6f-d07b60c0d678,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17bc1fd0-2133-4d11-ad2c-1309c34edb1e,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3194cf35-78be-4b89-a26b-74e91f94a174,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7e3700-b5ce-4235-a683-38e965eb3068,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ac54c1-8c21-4b38-8e70-ed76c0791e56,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a00b51f4-bd9c-4d8e-a229-f4fa06850ee5,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fee9465-48f3-4162-855a-dac78a465ecf,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f43ceba4-d05f-4994-919e-1ed203325f3f,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ROOT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d423497e-c202-4488-8f8e-a63f6c77f386,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc6bf9bb-8462-4075-a84a-99e88c772935,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de31ed7-8cd6-42ea-b608-e22f05082144,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90f27c40-1b73-4ce6-b4a8-b77675c72bf6,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b69fd04-091c-4e37-af76-1a11c1959af7,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cb9a126-59c2-4048-b068-d7c99266add9,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7165f5c3-ebfb-4a9c-94c1-7e6ad2791bbe,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f7b3c56-be7a-494d-995b-182cd4e533ad,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc57696f-8401-44e1-b258-97f97094dbd1,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58cdc03-1537-4e75-bc78-c76daaac9109,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae42067d-bc28-4cd2-89d5-be88599dff7d,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4d2c3a3-6b36-4b57-a6df-d5dad3fcc4d8,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8ec9a60-e335-4c09-bc70-d485f5e20f0f,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8caff9db-dcf6-44cc-aa54-dd07f7955d75,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0cbf553-df29-43a1-8f0f-7287e8783bac,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\DJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a838c173-3383-44e2-a8dc-8a68d1317a1b,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b89e0a34-03a6-4007-bd77-cd4a19b7b387,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c1b710-bf91-4a08-982b-978e081cd38f,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c20f8a-2a2e-4afa-954b-e3469a3a85c7,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ddb16a8-42f5-4fee-8ec3-59aa4fde13e9,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb43d967-f7b6-4ca9-b81e-6cb03d0f99b8,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b627e686-b480-4184-86a6-a69a308fce14,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2500abe6-c64e-4cd3-a893-d78383c40546,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fed87c62-0227-4e85-a618-b8175f6ff32c,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0305ab8-1b22-4907-b78f-b801fae45eed,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39187ff9-c243-4a50-80b4-13bf096fcb85,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27030091-4c2d-4b5e-a11b-7e2aebbfa432,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6359a9a2-8adb-4638-a1ce-348c46e50bc4,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13348 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c1bb5a5d-7553-4223-8151-5546bd3fe5b3,"4/16/2021, 9:17:57.074 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,13a0442a-69eb-471c-bdb0-1a9f63b03488,"4/16/2021, 9:17:57.074 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06954fe1-d4d3-4fbb-a4fe-7b264d0f19b4,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,582d8cc1-2524-456b-b5d4-48859598b1cf,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f42e73-a5d6-4dff-8e65-6a24da333680,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1286f552-30e4-4c30-a4cb-d39b808e708f,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4896cb7-ae6b-4d73-a6b1-a2682dbd13bd,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05b7d91c-0e07-47be-9611-d87b39549e04,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\DOOGLUS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62dbf2e4-2fab-4137-81f4-a9537b5968da,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b771c100-ec81-4908-934d-106b942400a3,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\DAVID,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e419b2e-16c0-4a64-879c-6d4999b7a309,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab186621-e883-49d0-8e2e-12874459afe8,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,669cfccc-f754-4bfa-934e-ba16175067b5,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4764512-aa16-4ebc-a454-ac0157c2209f,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91be5039-9b2a-4dfa-a6e3-48fd87cc51c1,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06c5931f-d666-4e78-975d-3bf7832fa146,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a42bcedc-3e1d-43b6-b6cb-45fa1dfd01c7,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be39919b-efb7-4fb2-af00-2f5d5a804deb,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8adc4ad8-c9a5-4723-848d-616ea22786b7,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecfa9993-f928-452d-a0cb-a68d83d26d5b,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bb70633-70e5-4333-8667-56b3baaddfab,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20b51e03-f577-4818-ba8b-99ee30bc03ce,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45d8de6a-a6cc-4423-89fd-4ce2cb80c94e,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a071f6ae-ae3a-435e-b25f-7fd850e4fabb,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94afbd90-1fa9-41ed-a804-0c6b39fff2b1,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05bde192-34ad-45dc-af54-17beb04b6ef2,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,257f4bd5-813a-4357-968b-81a9948d2a80,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc1ac3fb-ee4f-4863-8e56-2f1e2695e711,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4a37ed9-9125-455f-816b-7e1957b6cde5,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3ab0a0-3a4a-4409-8d6d-b2bb3fbafbc7,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db1df8f7-aaf2-4dad-b278-46726501fd20,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4535d88-cc4a-499e-a5f0-3dec75e11726,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68442f3c-38fe-47cd-9037-891b9d679aee,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cd56e8a-0d83-42d3-8758-d109cebb94a2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee32e43-3699-4bbc-823c-cf28498e7005,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\biblioteca,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2d6096-b227-46b0-b95c-f2a5327ce4ec,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a07da7b-a1c2-48a1-a24f-7c8b82e12fe2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd7383a-3976-4983-a5fb-7735691efd67,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d90bda93-645f-4863-a87c-ba362799e0f0,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a49b1ec9-042a-4e79-99d4-d525b5e88d97,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f382494b-a3c7-4be1-b7b9-45434a618885,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7347d1d-3f6b-4e7d-ae8a-624a0a621acc,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb167292-2af7-4f2a-88d3-89a5c8501524,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b35c851-7d4d-48e9-bd3f-88194f32a5e2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\brqadmin,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fbf319-632b-49b6-8ccd-d5472a4984da,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e96a921-93ae-4bce-9110-ceab6127630e,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fe825bb-09a5-47ea-9b97-6c90bd9edd3b,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d9493fe-7fa8-4daf-be8c-6faa840e866f,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7f79cbe-72e2-41d0-bfb3-c9c745309185,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161acea0-3315-44d3-9539-f4f566bafb2e,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6eccb2-c4b7-4f70-8d10-cd7d98fc1262,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a747298b-6e5b-42bb-a8da-3a362aa1d509,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1d7ee0f-21cf-4baf-9aeb-93b3c5365d9a,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e49281e-c23e-47b9-afd8-c1ebd9e7dab2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68055d70-5b96-40f0-a1cc-f9340b73e5fa,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\butik,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccc0b7bd-af1a-495f-9339-b7d512e0a3f6,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1bcc1ba7-cda1-44f3-96fd-6324d1f500f9,"4/16/2021, 9:21:48.409 AM",,,,,,, +\KASSA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ea377ef6-9dd0-4938-b2bc-924a96292f4e,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7070ae4c-b0b1-41bb-abb7-9fcfb6d943f0,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,32b4d561-e5fe-4c4a-b0dd-ca544815927c,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\OFFICE2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f2f968d0-df71-4dc1-8fe6-cd37d61623a4,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\FRONTDESK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4a55b6ec-fa38-4a40-a46f-37f4efd43835,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1a45c28-b893-445d-a6c0-37ba716ac14d,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92581030-8fd9-42fc-bd30-348f5e406b18,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169f242e-d4cb-4217-9bf9-9b5fed43b7a0,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1f9ac27-8a86-4a62-b978-27b29cd0f19f,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a04062d-e637-4b1f-9387-7d2c8b4c3908,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae92ba50-f8bc-4b55-a209-949e5719d396,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18f2e5ba-dc0a-4903-a348-d503655d2ed5,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,039fcf15-46d3-4951-8598-c365c5de13c9,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ededb10d-a4b5-4cb2-884e-24a917b1c123,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96ede54-c386-4996-afdf-afee2d19b587,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e9450be-0578-40e0-b295-4f42e141377a,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2952982-cad8-46d4-b07a-28e933cee522,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5802d83d-de5d-4ab3-aa93-8c01253024f7,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b5ca34-598e-4f88-b8d1-3e53ae9acb33,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26423ff5-14fd-4520-b186-0cdcb7fd00e1,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4049e1-d712-43ae-9268-6986fdf80a31,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b397ba4-f04e-43d2-9adb-be153d3d4d3a,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6539efaa-e09b-4b26-950b-e0a2a3611839,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cb158c-0029-4351-87ac-f589a56f95af,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a468edbe-9cdf-4f20-a20f-860718382d26,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,569ee4cc-8328-4bff-bfbb-577030a9de0d,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed31b3d9-189a-46cb-8697-7f5d87ca2fbd,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,345c7ccc-2f05-4f31-9358-0888a81f785d,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7f4a6f5-fbb8-43f1-afe6-abc6244d93ce,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb0b61c6-ff87-4c31-a8d3-3107648b4464,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa68e64-bab9-43f2-a24e-1508e610f116,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,263f83dc-c38a-460a-a783-f8e22bab1651,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12fbb6e8-3585-49ec-b428-be1ed2945c4d,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\BRUCE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3fc538e-1423-4354-90c9-f940a3a426b9,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77cc2cad-d45d-4707-bf1e-e2e18e57c4ee,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fba7da1c-43d4-4cef-ae47-20e626db079f,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03f0ff70-3e78-4185-9687-cd28edd55638,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd841ec-b268-4b6f-ad7f-91f0dc3f2f61,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d07c3b-e68b-4a7a-b680-9c881e99e36e,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c74612b4-8422-4032-8439-e67dc0ebda6a,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff74e5cf-1da6-4173-abcf-78d73754ea1b,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593a6563-1a63-46ab-a4a3-cece7aee1cb1,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c548185-eb93-4499-b87d-58eccb686b08,"4/16/2021, 9:22:23.131 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ffc43ca-0980-4545-90e2-7a27e16ab17a,"4/16/2021, 9:22:23.131 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a407ff-c9bc-4016-a4bb-8684725601e6,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b97b9450-807a-414e-ac27-3ad03dbd7330,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9192 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c683d7bc-b785-44a7-a0be-cd82a409ebef,"4/16/2021, 9:22:23.131 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7848 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,664fa8e1-4e8d-4504-978b-efa3372dfe7e,"4/16/2021, 9:22:23.131 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,923f7f4b-1825-4dfa-9e91-3e4ea0a46e23,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe15e0ab-cb11-4513-b3dc-410b1be80eca,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a4754a0-ba10-46a5-bc2d-adb25a7d8425,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dce0b929-788f-49e6-aa8b-407093a4db41,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb310f29-d895-47f7-a230-8a76e29d968c,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04c7fc24-9795-4b5d-9ac1-dd04b2112fa4,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\TERM1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e33a68e6-41ec-47f2-90d4-65b2e4b5ff4b,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 2724 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c44813d1-deac-45a5-963d-3f6c628f1b8f,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ecd02251-21d3-46e7-ad89-a4b2d2b59621,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8576 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,475caa4f-0391-4127-b0a4-71dcd5c1617e,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9804 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a47e3f8a-3303-4c69-b381-4244b50e81bf,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,026fa2ae-57ac-4e94-a1a2-7c4b88705e31,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b85a8c39-160f-4d4b-b77f-d9922a42661e,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,915eb04e-3471-4910-a3ee-d38d510a984f,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4728 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 356D1FC495BBA123EE99EEB2389FB641779AC8E789C2883AC16F26376B3D8081 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.18362.1379 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ce4a7d6-b5cb-466b-96ae-437c78da22a0,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9840 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,16f9b972-3e1d-4ebe-bed4-2e7606ed3317,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,243ebfc7-c6cb-4932-a343-7d4588cebbfa,"4/16/2021, 9:22:52.673 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,7a424437-b396-4c1f-a50f-11d4e74ba663,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,5938d3bd-5c31-4e2e-85a1-1d4a3209e9d4,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab6ba0fb-6f3f-4387-a45f-af11b8f8c7e8,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,8d3be484-f368-4e7a-afcc-a796b2a0f62a,"4/16/2021, 9:22:52.673 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,509379b2-e1bb-4e96-9840-f17e1e260dd8,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,50f2bf59-75f3-49d8-b4c4-b3a4baf84cae,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,78760e31-4954-47c7-aee4-bdc107ebd650,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5092 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c156eca8-b090-4548-ba7f-5fda478d4db2,"4/16/2021, 9:22:52.673 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d56c309-51b1-41a6-b7c5-26b1be979301,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1c45cae-3286-422d-a95f-7430f9b722b5,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f839e4b-32ef-4778-ae67-816180d3ecc3,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b295e63-c3f8-49dc-8032-38395d1c0e2b,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,357c7135-1e69-44ad-9a92-a8dd90a9dc2b,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13c2085d-386f-4a36-a4a4-6c77449389fb,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf86e7c-5ffd-45dd-9b8f-8f1f39e98497,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee8944c5-0f48-4f11-9fde-fb3e72b3571d,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16a22fb9-a497-491a-9acb-1fd6fa9b75ee,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0af5709-d656-4795-9fe3-f53517f00f16,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73fc2bbb-05ed-48d5-baae-66ed5216562f,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b531903-2c07-4b4f-97b1-4790cab47414,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80649403-7453-4cff-a015-cedd81c0748a,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d4d043c-314a-4201-b255-796b05815add,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29d6a96a-bd46-4560-9c2c-345fa721a5f7,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec1b29b4-8d6f-43aa-ac56-393ecd9b14ce,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7db56f0f-b20c-447c-bc51-b310c9f1e641,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ce2a541-6fe0-4960-abc6-93afa970b254,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ab58257-7179-4c3a-ace3-e411191f7f63,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fb8ac0-a650-42e4-99fe-3a842dc8c69c,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67adc43f-0a04-4d77-b48b-660d242209c3,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,333b4996-c97c-4b67-ba83-9e01769f99f7,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c66b8a12-40f2-4355-b259-f83c7f4d826d,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e270493-ef79-41fe-a55c-5e0ac3e5d95c,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d42011a-26ca-43ba-88cc-b19fed6d8482,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcebbeb8-c818-49f1-9c31-8c26e864f617,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dcd378b-1e79-4bbc-81ff-b1df6f64b7ed,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54e71dba-9fac-4c2e-b835-8d93972a5b5c,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e523178-fefc-4680-b942-71bd2d2dc126,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d48a8d1-2d0f-4d9a-a96f-79d401578e45,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03de0732-d2ca-4312-9568-844485d0510a,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51b66f32-6493-4055-adc0-d5ff78765279,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0b29932-2f6b-42a3-a5fd-057dad338588,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81fcbb99-5897-409d-9093-fcabc949cd63,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d224816c-7501-4ac6-b789-f708b4029c17,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df0ea0c4-68f6-4b81-b921-fbfbbcb9b8db,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67321693-f012-4bd4-b9a9-95785daa7218,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0f748ea-6f63-472d-902f-57f1924b9657,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d915e93-544c-48dc-9105-0c435ca9e87c,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77349a24-3256-422a-a7fc-734d4d933c3b,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb4047ee-c1bf-426f-a3b7-780d73b17498,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,119bc711-5f19-4700-83bd-ab5c7bc3526f,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dddba1b-b6b3-492f-ad9c-58b5d02537c3,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3c9b788-7bd0-455f-b729-d5685cb227f1,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdfac72d-b935-4a3b-9f8e-9f3048652fd8,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba822e0-a981-435c-abd2-8c7b84bed793,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47744e75-d558-4599-947c-c195a22086fc,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b53702b-1a1b-4fc8-a33b-7c8c8595d255,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4946c3-3faa-4d46-a72a-0eca042cb091,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2453673-8991-47a2-aa8f-be84560463d0,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9212a9db-16b3-4d64-9efc-ec94cbb2f3ad,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,825af085-840f-43c6-ad25-890fa0cc2601,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c7ee6f7-1aa4-4b51-96dc-f3a43bc53843,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8605b6a4-3d7e-4caf-8561-6367b394b4ac,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,037901c8-cedc-40ce-be1f-d2ff76abc567,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edc4e565-126a-4475-bb8a-f08bd5d1cf36,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d1c6d1d-4618-49d8-b9a9-02725b2e9092,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c4cba87-ec3c-4057-9956-0713a65764f6,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfb7a908-f738-4833-b5bb-4e550c65f537,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5384c2a5-c891-42ad-bd22-2a5132a7aa72,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f73523f-fd37-4d92-8096-6ef7bac4e482,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01d9b461-740b-4496-af31-c6cb93f0b018,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,583cbd7c-0713-4c0b-b07e-d7e1ffcb761b,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2547f9b-8b77-4f28-b21a-2fba360df145,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2842c1c0-1bfd-4ab2-b63d-eb13180d5217,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82c07504-bc9b-48f3-9854-22f1ed5c25af,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2087e94-78b2-4619-9000-6dcf0b91122a,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e36b82d-7301-40db-8dab-d49a435757ae,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89f24d17-b6bb-4700-98ab-38c8370c5638,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cdc398a-7622-443d-a06b-9aa8ed2069db,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54d40441-5aaa-4764-a34a-dab6c046523c,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d15a0444-5fb5-49a7-b848-e035fcf2fd3d,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2dfcb34-0a51-4470-9e21-55a3801d9440,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22d13d6d-77fb-4534-b352-39843f59f4a0,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75c4c39e-a24d-49a9-93d9-5425110efdeb,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2c53a5-1402-444c-bcb4-b7ddf1e26291,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3960a70f-a538-4691-bb97-82c1d809a1b9,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffa8f252-be0c-42c6-b6cb-a3d533f7de87,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e47d3a43-6274-4b06-987a-ecbf68e391be,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b2d354-16de-4a19-9f54-7b335a13aad0,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c92cbaef-e66a-444b-8f0a-4a2a700266bf,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87b189de-d211-4b50-9240-660a77691bdd,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f61afc-1684-49c2-9d45-b55e0cd50bc1,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e63870d9-e9a5-4948-a2c7-1c7837217de9,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54a8d9f0-8c4b-4136-9612-9091860524f1,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a654fd4-9cb8-456a-94ab-46f52ddacab2,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c53334-4b04-4c2d-afb6-056aae22fadd,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0f4505f-708b-496e-be25-07eadeb775c6,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88fd2acb-c38c-48fe-ba4b-0be4c474402c,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84146b4b-d8b4-402b-b9e2-71b928ab2eeb,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c40fd72-8cd1-47e2-9696-0adb89159034,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74357564-8c34-4eba-9831-fbc96341489a,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,78f76d15-ef92-434c-8018-5c8b239e5a39,"4/16/2021, 9:26:09.894 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,da18c5c9-5373-4706-adb4-614f5b67542e,"4/16/2021, 9:26:09.894 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3f46a708-afda-4507-bb13-936326521202,"4/16/2021, 9:26:09.894 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b23c5195-e001-4523-85f3-ea636067464f,"4/16/2021, 9:26:09.894 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b8e71ae8-ae80-4d99-b61e-baa9c5735c38,"4/16/2021, 9:26:09.894 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6300 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7a9117ac-3cc5-4fc4-9396-ec1bf5437780,"4/16/2021, 9:26:09.894 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05287a9f-ba85-4d7a-a18b-9b57e9599c79,"4/16/2021, 9:26:09.894 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,1db0cec7-97e1-474d-9aba-22627060ea39,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,173691c9-7c6b-4708-9e9b-a3d410f2da5c,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6992 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5952f720-93a9-4aa6-b65a-e42efb1ae6f6,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f2a4919a-3b83-4cee-bfe6-df3136d2ee01,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,46d217c8-56a4-4632-aeec-4c498c80a97e,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ce3953c2-b4aa-42db-8e36-8783e0e0953b,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8584 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a19fe783-2f82-4c53-8055-762176768026,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,04088165-dfd1-4af9-a8f0-94c3a7d121ff,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6540 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5d4159aa-84cb-4e93-97df-34946aa230d1,"4/16/2021, 9:26:26.633 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ff7106b-4092-4d74-930b-b352b7a657a6,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57dae51d-6365-46a4-a475-174f9401deaa,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2b7b567-bf90-4589-91d0-2dd74faf51cb,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1054c534-f171-4505-8d70-5064b3d9afa0,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\SOPORTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e49faec-a683-4d43-968f-89a044a81219,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2f68387-5da4-404d-99d6-b48cf2deea2d,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df458b24-7b30-41e4-95b9-bba76a9b0e1b,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1024b962-ec72-4d4b-8756-a899693ad635,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\HELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8405d887-3444-490d-bc2e-ad2eeb85b1a0,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f621c0c3-e053-4f92-84c2-c3b902f80681,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f62e0da4-4030-4e10-a98c-e966ef12630b,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b75f5a6-c90c-454c-8d00-62ebd58a2875,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ccfafd5-8312-404d-917b-3f6898ea450e,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea782d9-25a8-4394-b3ce-ccf954ab8cd9,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8a6cd95-c019-4aef-b2d6-932e7c10774d,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbca7b0f-a7c7-4319-a7dd-77397bac3926,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6a347db-2614-47be-a8a6-d8130ec5eeda,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e646e5c4-f444-4355-9c30-9f1ec1da67c7,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9072039-5134-493d-99cb-523549a97142,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32108f24-50d8-45f8-ace6-aaf50619a9ca,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,43d95f3a-f96d-4910-a4ee-2c8dbd817570,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eef451f6-e113-4d25-a041-c30921f1ba6a,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ff6374-4eb2-48b8-a59d-7ee3dad3a02c,"4/16/2021, 9:26:54.747 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f597da8b-6c9e-4fe1-9be1-8698dfae55da,"4/16/2021, 9:27:03.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10592 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,44ae3174-72a3-4d34-92b0-eed899b50ccf,"4/16/2021, 9:27:03.630 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,e2e41114-c24d-41a3-90a4-b128b369be65,"4/16/2021, 9:27:03.630 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,162c7ea9-14cc-474a-8739-629e8ed2dc23,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22166d7b-cc0c-45f5-927e-03753b2c0a04,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fc687e8-c777-4773-b41e-6652c7b6af47,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2062b5a1-f3ae-43dd-b82a-9a57d191380b,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46bf3a2f-9623-478c-a1c7-f42e2b67638e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e3647b-ab19-4550-946f-a8983c0d361e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f61f230f-ee1c-492b-8528-44aa8082f98e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b858da8-6f0e-48b0-b7bf-0422ad0c31b2,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdb54570-0001-464e-b428-7a6f15912876,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe42f8e5-f00d-4c4f-905b-2b61ff681ca5,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539c53ff-b405-4396-870d-3ccc9cd143fb,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b8d03a-dc0b-42b7-9810-6f08aa92f7ba,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5ca89f2-6b82-4d17-bfd9-69790022a738,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70814887-aac2-43ad-a604-b472275eac49,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24fb7df3-62f3-450b-ae3f-4cb6bdf908d4,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5c3502b-a692-4b63-8a81-9a074fad7847,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87e533b1-e77c-4fc2-a67d-8ee3704c1995,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3152da-663e-458d-8923-c0f9799eb107,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b9b64b-ad83-4654-bb53-76c8657335cf,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,084bf5e8-d3b5-4cce-93e9-1480f858b7d5,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,351c4416-219a-4669-8a36-3fa1d98caa1e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37bd66ab-c03e-411f-adca-a01bc859c222,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dce0686-fde6-4fa6-8640-7d38fcec0916,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b2841a2-4eb4-459c-abfe-895e9052fff6,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f53bf8-021d-4b40-b465-442e37efa8e1,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,681acee0-5de0-40dc-aa48-a1f34569cae8,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b873756-7d33-4de1-8788-91735d30be91,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e05b5a8-2436-40eb-883d-4dcd4c1def74,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SOC-FW-RDP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-17T04:56:53Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 2251799813697315 + 1212 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a62b0ac-271f-4e20-8ed5-815f3d770457,"4/16/2021, 9:27:57.222 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3df92de-1bf1-4f33-84fa-e9fbb7090674,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb047fb-0bb7-4b41-97b3-674e8c47d82b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1726da4-9f2a-41cd-b171-9ca1eaffc60e,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ec9d26a-1b7d-4df6-8567-5c4d20e33338,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c74b5043-dfd1-4de6-a693-984939bac713,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5964ae-8457-4ab5-893f-34d95a76a9c3,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3762ed85-bf2c-40d2-8f38-f3970abf769f,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,857f5062-85bd-4df9-8f05-aa4b06d2834b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,801b4084-7261-459f-bbf7-3bd1136757b3,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4b2f8eb-a1be-462f-a7fb-678389d8452b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8226d139-799f-4b8d-b763-46fe911cc569,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41c6095a-234f-4126-b188-782298928d9d,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8df7c93-4484-4eb4-8579-5c4822aa5227,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ff1795e-fdd3-46d5-9371-83a92471dbc9,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd141461-3bac-4a05-98f9-191e7b2148d0,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd99a1a-a51f-4b12-b36a-da1e1c99ce0b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e11f1f98-e288-449d-81e1-e8064c947350,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f90a8b0c-e468-4e62-bac8-ddbd137959d2,"4/16/2021, 9:28:05.637 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7584 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,db532b68-c9ac-4345-b3e7-dcc3264be934,"4/16/2021, 9:28:05.637 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,837b2a8c-e659-4f7d-8f95-867cd2182e00,"4/16/2021, 9:28:05.637 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed113615-fe5f-4b34-bd75-5d463334970d,"4/16/2021, 9:28:05.637 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9048 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,24b980ff-e36a-44f7-a5a3-766669f8b890,"4/16/2021, 9:28:05.637 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,843497fa-3400-4a62-8240-578adb2c256f,"4/16/2021, 9:28:09.910 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5b83f05d-2cea-41bc-9b69-6d473e6cef0e,"4/16/2021, 9:28:09.910 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f22df49f-313d-4385-bc23-bfb958ae4a2e,"4/16/2021, 9:28:09.910 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4192 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,38af5b36-2599-46d4-bf97-a2ba235e017d,"4/16/2021, 9:28:09.910 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3024 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d7d6a52-1b2e-4199-94d8-3e0c3f2eadff,"4/16/2021, 9:28:09.910 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b3eca402-c9bc-4cd7-a8aa-f48571822f0f,"4/16/2021, 9:28:09.910 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a435f293-d944-47c0-86d1-40c08e92e070,"4/16/2021, 9:28:09.910 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,076ee4d7-a838-4d0f-b868-cf217c8cbdd1,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e5249190-a680-4274-8c8b-939ffa70c89c,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fb92fb06-b740-4431-a5f4-dd0db5dd99c3,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a940f381-a0f4-49a5-8dbf-83e40f613211,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e7995c91-4f9f-4b0e-a89f-78eb769c678f,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cd7ccd91-c7a1-4492-a2f3-87f2145f0cad,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,14c3027a-478d-4513-90b1-fa92b890c4d7,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e29de3c6-c85f-4019-af28-2fba82d5ba3c,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,86bfaa6a-a6b8-486f-b547-012a2c4fa138,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05a5f19b-5581-48b9-ae62-b8820c2374fd,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b1b7b699-83b3-4292-bacf-ce0934dc45cb,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a7bc3eca-8cb4-489b-a2ea-70603754b81c,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,addcb2ca-5f58-46db-b686-5a64e971afff,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,28546f40-2c54-43a5-94f0-9b4b025ce5bd,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c356e18-a0f0-49f2-bc8a-f4616171cb47,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f061f1d4-173b-4be5-9043-25a6573115da,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,76a4435a-2747-4a21-958d-18dd6984e281,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b4e3a42c-b8b2-49dc-8e4c-56eb6b91009d,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b7f81f8a-785b-484e-b521-4219f3328d1b,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cf7b4659-43c9-48c4-aa1b-f43798a63ee7,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,969d5df0-2a87-4119-8149-fdd61589b0ba,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f49d5a30-56e3-47ca-be9b-580634f5cf3b,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c49824a8-c448-4583-a410-5a5e241d0e71,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,97fc5b47-f867-4eb9-8b2b-bbad8e418c81,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1748 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5972366-f86a-468a-a568-647db1b07ecd,"4/16/2021, 9:28:52.728 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6dcd6c3e-5afc-43a7-b9e4-a198a843fa6a,"4/16/2021, 9:28:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b58945a9-1607-41bc-85b8-dbdebd344d48,"4/16/2021, 9:28:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b426d02e-6ef7-4d44-b8a3-81e5cf4c0bcd,"4/16/2021, 9:28:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d24e1e08-e516-4d52-bb31-bb154ca319c5,"4/16/2021, 9:28:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,03ee0109-56cf-4ebc-8094-09704a7927e3,"4/16/2021, 9:28:52.728 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a111102-3158-4f4d-9aea-873afb786dbb,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e406a30a-de1c-4545-84ef-806b12ce236a,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9031ec0e-a693-4ad2-a7c6-e9670d762896,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9879ce44-ae1f-47e9-8c08-b2736fa61537,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6dbc37-e1c2-4d60-aedb-43391e7b96cc,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4378bc0-1296-409f-b504-94ac8221662d,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f353113-6fec-48d8-88c2-5cdd96444393,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea6ce0e7-a50f-4927-8c4e-e967a051d718,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e093e6c-6c15-487c-ab6b-2a02dcfa6fb4,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efc3f06f-8d7b-45a9-9db1-3c117f05f0cc,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c986897a-ecee-4051-907e-a3f2395fc680,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,942df248-26a2-4c58-b226-701fc440f086,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eaed68e-c71b-4614-870c-736352dcd007,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4996e785-d4b0-4673-a889-d3ae41e9e566,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad37610c-407a-461d-9a51-469c232adc29,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e33194d4-fbec-4954-8325-84088b9a3bc5,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8969512a-e649-43b1-83d3-e7f2ff1a54a7,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43e5e446-30b0-456a-8c22-414a18d2fe09,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169ed59d-08f2-46b8-8142-f3aeeaecb13b,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a3d06dc-53af-4c20-8906-6fa9c2fe5760,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5f60954-b093-4867-bee7-d57d9d54ea60,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdc0c2ad-9a89-40e3-b6c1-645786f33412,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2833fef1-3130-45a0-91af-2be4845a029f,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4810909-a92e-40fd-9a45-b72c8e1f3a5a,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8feb0810-a7f0-4c16-a150-f53e20ffd44c,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6130cf92-37ed-40dd-b71d-7785f1a740aa,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d6cee4c-8343-4b2d-ba67-4d94d2223ebf,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b49357b-211d-4177-84da-a6ce07f3da19,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94a02271-36bb-4a1a-98cd-8ec6da9497fb,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d602416-6209-499f-8b4b-9aaa3618da9c,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2a40bc1-ec51-47a5-8d98-ea2ee3dfbb22,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18c69645-eee4-48d7-b3ba-d1009c456994,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49fbe606-8d5a-481d-ac0b-89a6face2642,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\ALEX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,813598a0-4996-4c5c-861e-5b79b33ff0b8,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9201156e-93bf-4f13-afe3-0732d5d4bf46,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5220801-1bfb-41e0-ad63-02350371ae71,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,256b57f4-2ebf-4401-bc3b-80639d975363,"4/16/2021, 9:29:02.756 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35d2cac6-ac9b-4319-bc09-26ebadba6a8d,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55876428-5545-4323-8cf1-91d7dc0d97fa,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37ef41d8-a4ce-4148-bb37-277709237a62,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69d6d622-8110-4d24-a8b8-f5a2c785e975,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d94e3044-f36c-4ec2-9c3c-32d700a9fc07,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05a6ca5f-eb2b-4e11-ba6a-93f10e79a1a0,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c41bb349-c343-49de-9142-233cd56bf866,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdce85b3-0c1d-4047-bdc9-156c5f374e81,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\LAB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe8b6290-a5d1-44d2-a405-aab3a1b2c70e,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2667c6e1-39ea-42ea-9a80-0c7693cb5de3,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d964c823-603d-4e5d-b4e0-05af83cf6c5a,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,062ae350-f619-4103-9f66-d218c90223e0,"4/16/2021, 9:29:02.756 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,947b9709-5de8-42b8-b71e-21e5273d4e6f,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11dac9dc-5875-43c1-b2eb-ce30be13825e,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75431d0c-697a-4f83-9de8-5d44978e21ae,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c774a4-e0cf-45a5-aa8c-9b4a6cd898d6,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2789d98-1567-4819-aba1-d4ec3006b777,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07752613-7e51-48c2-927f-b35f80b42701,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72218258-59b2-4e7d-8429-f383804e52c5,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,557ce3df-3cc6-4604-a7cc-d0757a6895c7,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,64a5adcf-4968-4f34-9522-9dc42ec53f0e,"4/16/2021, 9:29:05.222 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c04eb67-9159-4619-b0f6-fda07422158c,"4/16/2021, 9:29:05.222 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a95d08bf-4f77-442a-baae-dcb296d85544,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b40a69b-c4aa-446d-9b4c-1d46b3ea58d1,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7292cfb1-84d8-4bac-aaf5-c0d03a07e459,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c87b0a76-7ec3-4825-952e-d5a0e0e3bdac,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3612 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,62588ac8-9a5c-4c4f-8e35-872117790487,"4/16/2021, 9:29:05.222 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4024 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dfc1217-cac7-4acc-8c31-ddf6d2d595c8,"4/16/2021, 9:29:05.222 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,733c1fb0-3440-4886-be10-f3e928b1bca1,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49349718-5587-4929-9b72-d5f8b94d218a,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94de271c-26cd-48ba-a309-b394baa05fef,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0993a3e2-a6d6-4a95-a5b6-d462ea358003,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945ea54e-848a-4941-b7a5-fdc3c5bf0d70,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95917fce-4773-4b50-a522-94b1207f5fc6,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df2db01d-25f7-41eb-8f25-fb720bd5e015,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\DIRECCION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d713c5d5-7ef3-4e91-aae4-09c9e1fd5774,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\CITRIX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c5ab733-75e6-4906-b53c-2171e9c0e229,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b5733e66-9c32-439b-ba12-f955f32028c4,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\SHOWROOM,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9e3a98b-c585-469d-afe3-8d4b84f4728a,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b66586f7-a16a-4e37-a6f8-59ac56d6d70b,"4/16/2021, 9:29:12.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6612 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,20ebae6a-c598-4388-807c-62e8c56410ce,"4/16/2021, 9:29:12.409 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,021da549-b131-4c0e-8391-507089c82ce9,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\KIOSK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d524fe06-c500-443c-8466-9d0ce3443b45,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,28299ed7-bebf-4313-8130-dc9bcede0cb8,"4/16/2021, 9:29:12.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3bcc9500-6192-463d-b4fe-4d568837152f,"4/16/2021, 9:29:12.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,69bae35f-2875-49d0-af98-6ec1bab9e311,"4/16/2021, 9:29:12.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8e2eb349-25b3-413e-802c-07b8c9f6bbd2,"4/16/2021, 9:29:12.409 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5cbe2b1-f30d-43bc-b06b-8efe1358e196,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa1e9cc2-f349-4e6d-b23a-bbcc109bd3c1,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e17ff98-1f1b-4b1e-bcd8-3bd7d1b61c79,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ec72622-7478-4f50-b535-467c26fd44f3,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7034db80-7dc0-485c-8614-aba5816c7d9d,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b531697-d8ee-48f4-9999-ee063cfdd8fa,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba12d75b-2f91-46f9-add7-794d717d86d4,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7cd1ed1-ba11-44a0-94fb-a23ddc1190ef,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee7d798d-395d-40f9-9919-335603163022,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1629e18-e767-4a48-8df0-fa4407365e1c,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2173dbeb-659f-49c6-8b7a-f44aa9108d94,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46c68cfe-7327-497c-8c20-4312b4d9ef52,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18040e4-788a-46bf-aa06-3617be00b2ff,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19f60670-8268-43aa-af92-41e95bf2ed2c,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75fa9bf1-4f0a-4033-9ff7-ecab6b4686fb,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f849a571-b790-4436-b688-8751bd09cff7,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90535e2b-8d38-4aa5-b4f9-16b6903f3b35,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc02e61c-c226-4e70-8047-9f6a59fecf1f,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68646d59-993f-4734-b04a-af9c03706d11,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0caa7b9c-4ae4-4854-8db2-dfac24eaef38,"4/16/2021, 9:29:20.138 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,23241d5c-8bc8-4717-b77c-d16d6518b79b,"4/16/2021, 9:29:20.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca822e49-babc-453a-9df7-915b1db09b58,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8517da9d-0646-47c5-9e31-071baeb24a6b,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cd7bdbd-e028-4b6d-ad46-7b875aa0949b,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8536 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3000d1a-00da-4f5b-8b5f-1410001488f8,"4/16/2021, 9:29:20.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8064 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aa5a871-1eda-463c-8a40-39ffc1da8c06,"4/16/2021, 9:29:20.138 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,6c3187ff-1063-4298-b478-df8642b28043,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,aa818a70-c6b8-428a-a63a-4df2a7f801cb,"4/16/2021, 9:29:26.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3232 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac469668-c16a-4290-9dbf-7716f6b251e8,"4/16/2021, 9:29:26.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 2320 + 2021-04-14T17:41:07.027217500Z + Microsoft Software Key Storage Provider + UNKNOWN + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\477963e0afbda1ad94ebb8343d06ce9e_66a852df-f27e-42df-9eb2-fbca054a24b7 + %%2458 + 0x0 +",5058,5058 - Key file operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b83e43c-d0b5-411a-8c05-334d3f8a2d43,"4/16/2021, 9:29:26.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ab07766-5266-4fde-b91a-29ebd6347c3e,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 2320 + 2021-04-14T17:41:07.027217500Z + Microsoft Software Key Storage Provider + RSA + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,5e6b95d5-ca29-40c0-9079-83589ff79b08,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 2320 + 2021-04-14T17:41:07.027217500Z + Microsoft Software Key Storage Provider + RSA + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,8d33e9cf-7dd6-42af-8f65-276428e3a63c,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,82ac106e-f9ce-4e3b-852a-f39001438415,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,67f19492-8179-4b5d-800f-bc08babb51d0,"4/16/2021, 9:29:26.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11024 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b923fa36-bae9-429a-b14c-df22c3dbf9ce,"4/16/2021, 9:29:26.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,23a7d8be-30c7-4b80-a268-6f9a9804ea25,"4/16/2021, 9:29:26.636 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140c721a-0bc4-4cba-b99a-20bc8d6e0e35,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd387c82-d447-419f-92b7-78750924e46b,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee5215b1-0c54-4776-b24b-92779c91442f,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,becf07f7-9913-486c-a743-c158b03441e4,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ae94ec-a5fd-4c81-ac72-b55f22594ee8,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f61d2167-5117-437c-b405-9419ce373340,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605a9a23-12dd-4029-abe9-b517a9964d72,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eb1f4c0-9b89-45e5-9fda-20d843526d96,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bafdcd9-ca07-475c-8316-5c5c6daa0268,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac6ca76-4fcf-4510-a150-5bd2964ba994,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b40c036-ec46-4b35-aa66-bb2671b117cc,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68771f66-5f8e-4540-bf1d-bccd9e2090b4,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94869552-6023-40d6-bda8-4ea62cdbe2e2,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df162e00-23f4-4565-ac14-d1dba60953dd,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f37cbcbc-46a6-4436-82bd-bd4c7be976b6,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc77aee5-bceb-4011-ba5b-70d7c15b7590,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a747cded-fb5c-41e3-8974-256158063398,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c0e4171-a1f9-4afe-b9fa-b5dfb8506b8e,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a04d28e-f843-43a6-8a92-0866e47b2b77,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054981fa-8a38-4f6d-bdaf-fe895f8b0c89,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05811cf7-8396-4a99-a876-5f7226a6c721,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,157a897a-6909-417d-bedf-ee5ce45947bd,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5916a8f-25c5-4d25-b324-39f38a30d002,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e099dcd-c679-40c7-83e2-29da4d17bf2b,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bc3af47-6580-4391-93d1-57bc1215aa51,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ada4919-c1c2-4103-beb3-fb98f6a50cfd,"4/16/2021, 9:29:48.404 AM",,,,,,, +\USUARIO2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a827db6-5ca1-4637-bfe2-fe33d913e039,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a41db5d-2c5d-4cf8-8c77-e6fb7a5fdaf1,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e1aa445d-f452-4f6b-a1ca-484fcae22138,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\ANDRE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d34eb39-8ff8-40c0-aa7f-95c07d86d079,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\JSMITH,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e3639b5-946f-4fa2-ab81-3cb839fea61a,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ed72a92-ba67-49c5-87ad-a002450dd598,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6edb94a-daee-480c-99c0-fc5f6ceb3cfb,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 212 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,795f9749-14ac-4c7d-9c43-e05ea6b61b2b,"4/16/2021, 9:29:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a0943ca6-0424-4fd1-a9b5-888a3c230297,"4/16/2021, 9:29:57.007 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e830dfef-4e8f-4164-ad50-780ef49c5795,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,023677ed-a4f3-4937-93c3-790ccf4d8c7d,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d5422db-0010-4539-b08b-5cc42141471b,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cf88a68-8f5a-41d7-8f60-bcfa87bd2f93,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f3c2cc6-22d6-4f6e-ba79-750de920f19b,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\BOARDROOM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47e5c0c9-f0c0-47ab-8cba-c4929f1ffea4,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69c629b9-e62a-420e-80e8-ca4c71a1f498,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d22810c0-4489-4379-b436-63aadde1dd46,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bc01409-a44d-475a-ac92-3a0b60352f8d,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4a87f4a-dedc-409d-811b-9ad94ca28a18,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34ab5bfa-1fc0-41fd-9bb9-a643a8461163,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f058853f-453f-4592-a455-7913fcb65f9e,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\TERM1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f39a7ad-1858-4412-909d-514f48c3b76c,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,214312f0-fede-4151-a9be-91c19c693f97,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,930f2366-11e7-4be9-9e4c-784746b96144,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba990554-bc41-4661-a0e8-8419b52f2809,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c47f14b3-b257-49ed-8b18-720108227c9d,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd94ccc4-ace5-4770-a4b3-e09a7642397c,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5b1c1b7-6561-4e61-ba4d-104d05afa0c8,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e624092e-6e3e-4272-85d2-59b5b3de2690,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c07e3875-9d90-46d2-b6d5-742d65ec3245,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa734714-76c7-436d-8d66-3a0acb2e3c1f,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13187d52-f60e-4028-ae2f-b44bafe732c6,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a55751fe-f811-4354-937f-f3b82453b6db,"4/16/2021, 9:30:45.877 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cea8fd8-a92b-4f96-abbc-f00dbd7f4820,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e5ac20f-a01a-4440-92e6-7989ac2bc78b,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ebaf11a-6c9d-4d59-846f-379588335ea1,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90c14060-ef03-4e05-8885-820c3c090bf6,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1dd3560-7957-4d7b-9bfa-032cfa71aad3,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5e15bfa-8300-4f9a-a71a-64e44089a8c6,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69f1f65d-0efe-4c93-8015-34ef0a9be11a,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97969b7a-4456-444b-9d73-b51a84699d92,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdb55d86-2091-4656-a119-972e61a57273,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1e261d-1e5f-48e0-9e9f-618afbd82c53,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ac9c11-7d5a-42bb-9e15-c3b2d5ed2d5c,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a16a0a6-6fb9-4335-bb20-4c5850811f2f,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0653fbce-7537-46c3-af35-e0b77c937c4e,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19421ef7-009c-44fd-85e1-102ecbf2825d,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c546a26-c03c-4850-9287-c1f3bc910e84,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5fed9c-8fd4-41af-90fb-b87239785166,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24033ab6-ee8f-40a5-a1f4-de4d8c4dccff,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\MANAGER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f35df4-ef0a-429f-b01a-e442576d79e6,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1138b44a-fb98-495a-a912-71f43625dcab,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bb44cdc-2745-43c1-9928-f42a488538b5,"4/16/2021, 9:30:49.135 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a46beb4d-b2fd-4a55-a9e1-43f50e9bb9e4,"4/16/2021, 9:30:49.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,991a4405-ef5f-4ea2-a88a-2b617bac4d01,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ABCD,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ddcaad-a66d-4f20-8114-57cadc5778d1,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf80e872-5e40-4fd5-ab44-9175eb3b9440,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90e70a15-482a-431e-9492-66ef587cb783,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1bdf264-04d8-44fe-9d8c-ab4b72746aa3,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62cdbd95-543a-401c-9d4d-fc11b106c34d,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd1b17a1-d8ff-4255-836b-2ade547aaf7a,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29ce41a8-1aa1-4877-ab21-02d1f9283e14,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d923a5c-3935-4d60-ab99-c79d170d8224,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45e815c5-17bd-4341-a4b9-70e47ccd84ff,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62481135-42c9-4e73-a274-3c0f7c374dca,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,036f5193-1c1f-4523-9e5b-4f9c5c1e4dda,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42ed14d2-497b-4351-81f8-1e811916d8da,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1512406-f2b5-42c8-aea7-e5ae093d0d44,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fc3f782-18f6-4b78-b4f6-4544a83dac8c,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98efb93a-c027-4151-b416-6f4a236e41d2,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39835a87-da77-41ef-b45b-f704adcdf4b9,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,203bd720-53e1-4a2d-a350-d1ed7fcf9c4b,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64e58d03-67ad-4603-9a29-60a67136979a,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b6faa1-f7b3-4e03-b23b-940df30a458c,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cbf4a4d-eb20-4883-9d36-d8b623b6fecf,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38eed3e1-4fb9-49e5-a7ff-ce0b7b8b28ab,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a2dd16-779a-4b86-bd29-815b6e66dc21,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,984777a6-ed37-4733-8c4b-826b4e58df06,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e574d09b-cf37-4f6c-9f65-ea2f5d5f79a4,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f35f5ee-5151-4e1b-af24-ecf797d79599,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d132cd50-6160-4ed9-a8a0-dbee791d581f,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54623eca-9045-4b55-a700-8367b514730a,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\WAHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14846a8-0b1a-4dea-9e80-ecd9db927f11,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a40415-2b58-4a6b-802c-16a0858e7fca,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17485717-7850-4d58-a45c-1d50eaf3db23,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b4e3f1a-436b-4f8b-a796-c4d84d1a9a72,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b7ec689-95b4-4d32-9968-210544757efe,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77cd05a4-a958-4ad2-86b7-96b8530a0b2b,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4166e1e1-f9d0-4cbb-88b1-f071718ce995,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a89baab6-f092-48da-9e67-38d628f2b7f9,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80aae32e-9972-4f82-bea9-a92b5d5d7fc0,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4992f7a3-3f81-4405-8934-4c50e254407d,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b45fa271-3ada-4943-8e06-f7bacbd83635,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d5edbc5-8651-4fe0-9e86-47de7ec80a20,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e81e2e44-7590-4186-86dc-80774897826e,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8e26f7-9269-4cc0-a705-93eb709efd03,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aec01094-fc37-4fab-98b0-1aa37a53246a,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e41662d4-1ae4-4ba7-b412-501259330446,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a47a12-490d-4c04-a031-27a11752167b,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d3318f6-158f-4382-9a57-6934e7add84c,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9266fcb1-4d66-4b87-b487-6f81232f24ba,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9518d5fa-0dea-4dde-a93c-1c59ff1b4d3e,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde09455-fc8c-4395-9d64-7984504642ba,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15cfd2b2-7658-4864-9213-95def3a4b893,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb713724-45ce-4504-bb55-4326a76064f5,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d75a4ccb-d997-4ba0-8bd5-4d48e410d505,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33665106-51d6-466d-8e92-4d16e37c98e6,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5308f533-7da9-47ce-89b1-5ab671178271,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26254252-61a3-4694-8931-56a555b7c25b,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a5719d0-322d-4183-9de0-5ca2105d2369,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c411e7da-278f-41ff-a96b-f29f2b3ba13a,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,530f4b63-6e75-4130-a43a-4ef7dae901ed,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3a6522f-f641-4ea3-8851-10fb1a20df40,"4/16/2021, 9:31:53.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4412 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,026afbb2-8e1b-4e79-9f7e-1ae8cf87de1c,"4/16/2021, 9:31:53.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6196 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb6b986-5063-4cd9-827c-8e46089f5522,"4/16/2021, 9:31:53.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97860ac3-1c98-4352-9833-02dbda639a43,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,311d90d7-7a3b-4638-8c7f-0040a547ef22,"4/16/2021, 9:31:53.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82c9af40-fe66-47f4-a1e7-96c733a989f2,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42e3352-5f9b-4fae-afe6-45f4f4515f86,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3a5bb1-e8f4-472a-947c-e15609b6c8b2,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db7df872-91b2-4abc-a5b5-fc6440de3b90,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,278e488f-e533-4534-bab8-9e6572450ed3,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57f912e2-27ab-4cf5-aa3d-7d007a1c119f,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,953c2af3-4505-47e9-a078-1a1d59b0fa00,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18f9037-151d-4b7f-842c-c1b41b10b1db,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5eb386-11e5-4ff0-ab20-1f16b968e728,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0337062-5df3-4707-a3ac-a8a0dd922d84,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bc1114c-365b-4102-a1b5-f39e81496625,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd7f434-b52d-4052-aead-ec6ef047822f,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3c4130-fcd0-43a1-b5f5-03483f3c6f35,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a78811e-7a50-4363-a145-2a415b7a4c64,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58a5d231-7a47-4a6e-8941-7270730648d9,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bafc759f-d97e-475d-92bb-a61cddec132d,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a880c39c-6a57-4b89-a030-13721ea4efc3,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e02c296-8f29-4354-9289-9a1cb272aa7c,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2db3935a-313e-43ef-b4ec-9e2825ffd035,"4/16/2021, 9:32:11.646 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10244 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1154c1c6-dfdf-4c9f-8446-b51b0ec417b7,"4/16/2021, 9:32:11.646 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c88b4d2c-dcca-472f-a8d7-344d126341e1,"4/16/2021, 9:32:11.646 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32bfee51-5013-48e4-88dd-0512d5c061e3,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f258ba96-e8bd-4918-b9cd-f88d3837ff9d,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e309fe06-b5a9-408c-8d27-a40eac97e744,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8b91a0b-6638-4a49-bbae-d34a52ad75a4,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,651100ba-f562-44ed-8933-100d613b1efe,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb3afcf-a776-4e51-8a97-3db7ebeab10b,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af0f959e-9a5a-4e1a-8183-520be2589a79,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,989e9466-4a5c-4842-8876-2b76a8557987,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efde936a-d647-422f-811b-0ac549ed3d4a,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa9ff4d1-c852-4761-b844-3cb0408bedc8,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,499db3f9-eb1a-4e7d-8b53-25b2e9c39924,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb4d25b-595c-47a5-aa39-d1724d2b7f6d,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f39c227-38ff-4bd0-9039-8669643ba38d,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b7e43c-7e42-4f66-804f-3e644a53b671,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d85b5b19-d37e-40c2-b025-3235f62fa65e,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff63472c-7509-40ce-b732-67b3a19fc2dc,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fca88ac-9764-4ee4-8bf1-5d6510c18a89,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df9822a9-cf70-4f4c-beb5-8bc5e2f59fb0,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f433d6f-f76e-49d9-9ff1-6d33fd24bcea,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12d5fae9-a23c-48f3-ac1a-fb2afbdcb5de,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aad8c414-4a7e-4ee2-929a-2f67edaa0611,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5e8d040-0a6e-4b61-89d8-c8b915276cd5,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,604d1d25-3715-41bb-b361-ff205835bb09,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ead10197-3de3-4c00-be96-a8aed84c1ef9,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3124d8e8-d248-49ab-a9a5-eb446fdebe08,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1620936b-6dbc-4961-9a54-f4efad7a39cc,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\NOMAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3745dece-ef0e-476f-a536-9c81a39ae6a3,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22e36417-86c5-46ee-8e37-67b02437302e,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebd798a5-15bc-47c6-b574-41ec61c12f6e,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cef76f5e-68f7-44e2-a5be-e4cf6735e4c9,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8fc153c-cc01-4d61-845d-cd428d00d560,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2e29257-0514-4402-9eeb-7468fb4a4638,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,231a5b1d-e327-4be5-84c8-fb5442349b68,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dfc4612-f9f4-4335-988f-9eee424d2f59,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3850b4e-2cdc-4bb2-8c04-8a19c9380c87,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdbb9bf-bdc2-499a-82bb-6e21696283a4,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7252f06-7eb7-4c39-bb28-a956d3db8a0e,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc86bf93-d3bd-4096-a328-9144241a0aed,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a5e3217-18ec-4d09-bbbb-799d708c9021,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02dcff5d-1187-48a6-b068-1849148720bc,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f81e058-5268-4a4e-8313-edec5d859e75,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa2dbcbf-3251-4352-9031-64170aaf0dad,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\MEETING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3e67391-1e2c-483f-8a48-6706d74a9de5,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d04c804-54cb-4552-805b-3fe4c94f0c91,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bee0222f-fadf-439a-af50-cfc267e9d9cc,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8abbea2e-d6f0-458d-bde6-e50cb8ae8ae9,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e52ee363-c838-420c-8ce5-185b78082354,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74e4a726-0f93-48d5-8bbf-d8702e981451,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ef61a4c-b27b-472a-bf5a-da951938a026,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e199a81-aec4-43fd-b208-1f2ae36358c0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db4071be-05f9-4bc3-934a-508c22a299b6,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d646ab4-7d54-40d9-8269-1760aa5c8e56,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4347edf7-094a-40a6-bfcd-b25a6c221ad8,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2298e6f8-e109-4161-9c9c-60e5011e376c,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3734f22-8222-49b4-8aa5-352f8121bdf0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\PILAR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,beaf305f-8dbb-42be-b056-0880a804b217,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,736b4288-8ef0-4c03-a90d-2f633c1a8a56,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69d8b673-8a3e-4bcf-b28f-e2cf44197ab0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f35f151d-9575-40d5-a0a9-6fcf7d6a1540,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da6071e1-1d4b-4f13-a7cd-943ffd36cd8f,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\TONY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17cc4e10-f628-4e88-932c-94e09b12ca5d,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dfbf42f-85f7-4deb-8137-783b0a5e1801,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f053c3c9-0b6d-4b9d-9b23-e3e889900c04,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c34710bf-0beb-495e-87ab-00d75c70805b,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b5bbbd3-a31a-4f8e-803c-def3640baef0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc46825f-6597-402a-915b-d3e822a2f30b,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,441e0f5d-b836-49d2-b634-07e74e0b1a57,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7c5744c-9b96-416e-867c-5c97be918255,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2339a6b-83c0-4050-b4ac-94c19b441d37,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,413df73d-991a-4798-a0a6-94eb1ca6c1ab,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98259ef8-513a-48d7-89ce-b74149f967a4,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,79d01385-8e5f-46f8-9078-aebce37e5a16,"4/16/2021, 9:10:09.954 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a50207d5-4d10-42ec-ab3a-ca514042917a,"4/16/2021, 9:10:09.954 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,da8d1f00-501b-4b99-aa39-a903496a1250,"4/16/2021, 9:10:09.954 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d0e1ce04-b23c-4a6e-856e-128260cfcf31,"4/16/2021, 9:10:09.954 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f3964bed-4c1b-4a07-b104-341a4a48cc14,"4/16/2021, 9:10:09.954 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2036 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cc284b3c-9061-4ef6-a541-638c7d1f30d0,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11740 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,260de810-e796-41a1-9965-8bd3e7333ace,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10900 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d4a971dd-05df-486d-a532-753ad17c36cc,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3532 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7fc75a5f-e634-44d3-ad75-c70b8cd18e08,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,33e1fdbc-e639-4e99-a2a5-d9f4aaba19ae,"4/16/2021, 9:10:41.991 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,b13f2ba0-6a81-4777-975c-01ffdc80ec13,"4/16/2021, 9:11:45.931 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b498e1d-029d-4c60-83c3-587c062853d3,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8033416d-b9ae-4c7f-913c-2b9d1a414c46,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5233a0cb-45e4-4999-be75-7baae13c25b0,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5822ec-e011-4307-8aba-5f191ea8e51e,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ec9a37-ef87-4a64-8b6b-063ed452ae75,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,41502da5-21b7-48ec-81c9-baeea8d7d669,79e77747-65e0-4e98-a0ff-aa718b8c281c,"4/16/2021, 9:12:00.151 AM",,,,,,0xaa0, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af02a9d9-109c-447f-a083-93a9b0c7355d,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fea9cd29-6afa-45fe-ba75-2f8da077f3ca,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a01a2c63-f6ad-4175-a28b-c6c5c18b1436,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1699544-2a2c-4bf7-9602-a1ccf05ab8c1,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b560961b-693c-463f-99fc-9d2afaeaa393,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eab52d85-6f40-499e-a94d-e8f6db957740,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,41502da5-21b7-48ec-81c9-baeea8d7d669,86ae6919-1720-4d45-bde7-9666f1375371,"4/16/2021, 9:12:00.151 AM",,,,,,0xaa0, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,e67f14fd-24bf-434b-a9ab-70bf158268d7,"4/16/2021, 9:12:00.151 AM",,,,,,0xaa0, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-503 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,295dcf0a-8623-4de1-8dda-5994871e0f06,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-501 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a7ab2d2-fedc-43b0-a00e-78f9462deb74,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d016bcb-80d1-4868-90e3-98f61f75267f,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-504 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c6f7db8-6e93-4919-add8-258fd9deabe8,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7996d74-f072-4801-9ad7-03ac62c9a2dd,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8aab31d6-8b8f-4991-bc00-d8cd1cfcd026,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fda531b-7c81-4b67-99f7-2fbe8d17767d,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf24dd8-5e2a-4d49-ab65-100f9fc79ddf,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,996494e7-415b-4eb1-b511-46a96ad88302,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a31eb4b8-274a-4538-902c-b7824560f9a2,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49d4dab4-b0b4-4b2d-b5fc-b811fb3eb8e0,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b252c2fd-16d8-43c7-bc30-9af93e6f26a6,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1de495e4-5a79-48da-9948-92ad736d0858,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73d6eb72-a275-4947-81e4-b1218dbdfcea,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2674ac63-b250-48d7-b858-ebf547ebe432,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 3248 + 2021-04-15T17:46:32.492836100Z + Microsoft Software Key Storage Provider + UNKNOWN + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\6236f8d93a08713ba009654cf3672978_1f416c82-3ea4-474a-b230-f653aae1986d + %%2458 + 0x0 +",5058,5058 - Key file operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7caf5719-5a90-4561-b52a-5961534f0197,"4/16/2021, 9:15:24.734 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,309657ee-ad86-4cd4-8505-488cec165edf,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 3248 + 2021-04-15T17:46:32.492836100Z + Microsoft Software Key Storage Provider + RSA + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e46e7084-c68c-4fda-835f-52add253152c,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 3248 + 2021-04-15T17:46:32.492836100Z + Microsoft Software Key Storage Provider + RSA + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,25dac5f2-754a-4b07-8787-121743b4c94d,"4/16/2021, 9:15:24.734 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 968 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b8607586-56ac-4e88-9cfb-90bfbced07ee,"4/16/2021, 9:15:24.734 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5760 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fb8dc457-70c3-4ed0-8136-e35a3982e8f0,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42d1e853-3695-474e-8f73-66fad29056e1,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39d4e475-3f50-4812-9689-63aa46f4ced2,"4/16/2021, 9:15:24.734 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96b86e4-8286-4ea8-a9fd-41f880ad0a20,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6194afb5-ec3f-4a5c-bb17-5b68e4635925,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df4c523f-a72b-4221-a15f-73ce1e2052f3,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d443888d-80fa-4f19-a9bc-247213b7d525,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca16b427-21a7-4144-8c09-5af41003025a,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32bfdeb-13b2-44c1-b3fb-881c7ad0846a,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32e7c31-b4ed-4c0f-894e-ced7435fba45,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5af333c5-855b-4b82-9f13-f22b856f8c83,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,124509ea-94e7-43b1-8864-43e453249a1d,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80e6501-5d6c-49b1-9a45-30573f83c9f6,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54f127f3-b8d6-4429-bc90-c6042985dc98,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e72800e-733f-4b28-96cd-d08c31a912ff,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53403756-46f8-4537-8ab1-a46527b28b9b,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d8b3e3-3048-45d8-ba87-c76d1820ae13,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,892004ad-0764-4bf4-882a-50353bd66ba1,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5757de7-9b6e-430d-95a5-09d96c3743bf,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4888c6d-f20a-4bd2-a64a-a19595196040,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b965c98d-7d48-435d-90a6-912ce44bf64b,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c81e2795-99a5-47e3-8bda-fb871955fbe1,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cebf9835-f774-4d8e-af50-512d63c94f82,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a424a493-d75b-4fbf-b12c-69060d73400f,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e6bcc6e-1ad5-4a36-a4eb-9a27314e5da3,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ecd9dc-2885-4af7-9817-6432355a93a2,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6c6cd41-d7a7-4e20-8348-8b40f7bd923f,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0926239a-d895-47d0-9ae5-1e6ed8cd417b,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +\MARIA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eeff4476-e1b0-45a2-994c-053a7aec31ad,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eac4acc5-0ee3-4595-8c31-c0e21607adee,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +\MANAGER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,779b8a18-ab6f-4b1d-9e8a-ea97756d92a1,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b5606580-2b46-476d-9d9f-e6a3e8a11dc7,"4/16/2021, 9:17:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b47d455-9bcf-4ec5-8509-2ff5591a7027,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7012 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8dcea471-2c4a-4144-81c1-7c4cc4431ee1,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,94b7f2ef-ef7f-4996-b786-56cfd7fca893,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8180 + 93 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\150\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 95 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\150\pmfexe.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8d234145-a356-485c-a5b9-6777ae619195,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6976 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c8ae0821-08c0-4cb9-892e-b29ca0d55d58,"4/16/2021, 9:17:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,24089d62-04c5-4917-a65c-1ddf1b2d24bb,"4/16/2021, 9:17:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f472e185-b245-49b0-96ec-d95391ae1e26,"4/16/2021, 9:17:19.412 AM",,,,,,, +\LOGMEINREMOTEUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2c18100-69e5-463e-b161-00428ee5239f,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8940a0ed-2445-473f-ab1c-a87c7e51cb71,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2f3d6b8b-7c6c-4dd3-a62a-d9f85aa1d19c,"4/16/2021, 9:17:49.272 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,abe04a37-a615-4c2a-8924-3b67f661ba30,"4/16/2021, 9:17:49.272 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68551ed0-d747-4c7f-8596-5ca3fed0056e,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5876fcb-a270-420a-81e4-2227a5202e6d,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2701bc8-855c-4f61-b3d0-1e0f5f64e41a,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ba26b95-05f8-48f0-ba0f-fbef9c69847d,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,794c0d8e-e513-4dc9-91b9-2c148aea4865,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57286877-79a0-4f91-8707-e60e6b453188,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06754dc0-6fac-4e6e-8162-22ce4eb80bd6,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39bb8717-8fee-4a1b-8e03-a5d645ef8643,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18010817-f9e4-4630-aa08-d8b38c03a66b,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36f73721-e6ae-484f-9397-7991235aa81b,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e439143-049a-414f-a9f8-63faa14bacee,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87f2297d-d430-49de-8960-d1ad0999f7b0,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9f43861-2749-4229-a93b-02e50a273883,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,864a6cda-e40e-431e-a0b2-d3e6c2c835c5,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f8c81b8-e61e-45a8-95e6-5662e265b7ba,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d869f2b9-5753-4e3f-a99d-32b899753aa4,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1b7740e-77a7-455f-a213-9164c0f64153,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ffcdc4b-d17e-4e43-a5bb-c6ccdd02d06f,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c5ba2c7-c951-4f54-abc8-72a0f8594faf,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55c9592c-91cd-4330-a3f7-1e56d225aa33,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,202832e2-9d36-4f9d-8f08-4f500e436dd1,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b24112da-d393-4433-8568-58fc7827c4c6,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0a16d32-d6b6-45c6-80c9-9e3b78f01467,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a42205ee-a9e9-44f4-b08c-dfa299569c0b,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3174cd34-d88b-4f56-abe2-4ead06334f10,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb8eeded-bd16-49af-a4ec-74853ae89dfd,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\WAHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc58b5e2-f729-4ad3-8f89-eb0cc2656145,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2ca1430-d14b-4f61-88d4-d6a56ddf749a,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24628b32-4e2e-4b9e-b51e-965d6ce93f13,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0ba5558-8005-4fb9-af95-7f94219e5f72,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\ASP.NET,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c183ad8f-d7ae-4b67-b921-d6f071c0fda7,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\EYS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdef2454-0914-4090-bdd7-6fe447ce3b4d,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d6fb6ab-3e08-4bd9-a6a2-69ce15027a0a,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56ae1859-ea4a-435f-a41d-98d4d57f68df,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76f31b20-4249-4086-a90a-aa0bd276720c,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,940551ed-ba5a-4a3e-8471-5aede4ca52f8,"4/16/2021, 9:17:59.720 AM",,,,,,, +\ADMINISTRATEUR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d252b7d4-016e-4ee7-b608-83746ddc7d22,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5afce76-f86d-49e3-875c-da387f3bad56,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,faaef9a7-28a0-42a7-adaa-21569f0ae013,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ec0f531-e63f-455c-bbc7-afe4110f24e3,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00d25632-6067-439b-8c04-e45110fcf17b,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,126c960c-3b7d-4032-914c-34902542107b,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1708d62-4488-4511-ac87-01b2bcff1094,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,489a34e8-9f64-41da-93cf-df6b43acefa8,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0d0fa29-122e-46be-b745-c79d162e807e,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\SAGEHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44307ba1-7f87-410d-a3f3-fff7efbb5203,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ac5fb7f4-a1f5-4a0c-8130-dd5ffeff7bce,"4/16/2021, 9:18:10.007 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d3bcfcf8-f121-4c38-a9ca-0c2ff114f850,"4/16/2021, 9:18:10.007 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8b7b8d5c-481f-4d1c-a456-07b6783bc1b3,"4/16/2021, 9:18:10.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4520 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ae57d995-c27e-4c57-b9bd-a194d01820ae,"4/16/2021, 9:18:10.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2560 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,01754751-58cd-400d-8f73-e22ec6299660,"4/16/2021, 9:18:10.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7164 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e23d9b6b-ca3d-4641-bdc7-646a2de2731d,"4/16/2021, 9:18:10.007 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,28b454e6-80c0-4d88-8440-0a5fa8364165,"4/16/2021, 9:18:10.007 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f8b38eff-84b4-463c-bb74-cfe782d3ac9c,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c7b79155-770d-430a-9e97-1f8800b24410,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0d9bb524-2e82-4417-8c59-684d7bdef5f6,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0c5bfe49-1954-4a75-aae0-d8a5947b1863,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d6764935-888f-4aa4-8695-9f6cd621d7a3,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b75a989d-9591-4c3a-a814-eeb9f6324214,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0ef91fd7-6861-4c91-8813-e0c6dda72c63,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,22035a5d-2482-45c7-8ef5-a5723607e8a2,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a5b93d7c-1664-419a-b16e-e71056a13474,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5c94eed0-f6a0-4c6f-bbf0-3b40bcec0716,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,247693e4-bc83-4e23-957a-615824f066ca,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,47db2c27-da14-47cb-9ba0-1157ec7ae79c,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d9230be-05e5-406f-aff0-85974ea629bb,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,be622eb3-b060-48f6-a769-8016289c6319,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a17e4c31-befb-4c6a-9c14-04eb0219b052,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,710c2e6c-7961-45e7-8910-2721e4758905,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e82bfe71-92ac-40b8-9260-ef64cb56ee75,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,75ce724e-e810-4ec7-97e5-037286fcb8ae,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d9a2e633-4eb4-4fa2-879d-4c5e51fd83d0,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c8ab2529-7661-48a5-abd7-115106f9507c,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,59566193-0f8e-4500-9cb8-4d766c87aec9,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,273dcbdc-3e77-4086-8d4b-0bff198ede75,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,10073d83-cb2b-4f48-816f-cb5cbe0b82b2,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,35e1ed6a-64a8-4d2f-b6be-cae4c330a561,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,604bdad3-cc1a-46df-89d2-765af0fa0239,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f38b67e-1494-451c-a566-455c68c4d2b1,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3d31e9-e94f-4b0c-ac53-31ee2de2969c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,850e95ab-f434-4ae9-842c-f2aabce3de64,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53dcfb04-1976-4213-b957-b1d2fadd6545,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79af33cb-a0d9-4e46-8e5b-dc70719dc97c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0feacf46-d87c-43ca-ab49-445f6007bffa,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c1d14e2-f6e4-4872-9103-655644bfb056,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80dbe167-2759-49e9-a8c2-dcc651a85c5e,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3292cb8b-1846-4570-a785-e5b9d85b13a8,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de75e2ea-dc15-4355-ab55-5e0571fc5ad0,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b5b5f09-6411-44ab-820b-e49df72a0124,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b3839c-ebee-470a-b177-57e5fa66be91,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5310471a-54bf-4795-a56b-29c61105128f,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ec4b71-c70c-4677-aca6-abe3030c297c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce8c5b88-2489-4ddf-b919-05ec3c2ced97,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a5ac835-1ea3-4f50-acaa-44cbb7cf2933,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae02e291-84ea-4806-9fe6-191acd42680a,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e50837cd-b15f-44dc-a112-0c9c3a96b493,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e127ae01-958f-4ce6-bcf7-8ca48d96f38d,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d74a969-9a81-45ed-ab74-d0162575650c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80ac2918-0b6d-4c44-8d25-1a68405bb67f,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6183665-2506-4b8f-8cf8-0aee7fe5fe98,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e44f7cf9-283b-4498-9188-c99d389ea00f,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d871851-8308-4e65-818a-7c3d5d28951e,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbe9ff91-c3ca-4618-aa74-34880faf3af9,"4/16/2021, 9:18:16.714 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4af6aba-e115-4f38-b80d-5c5d7968f0c3,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33a3cf2f-e05d-4ff1-a5f3-da5543f729cd,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eed7ecdc-725a-46de-862a-5cc9da53f289,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9c4cb2d-e7c4-484f-95fa-30e516eda7df,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b411819d-8bbd-4fc9-8348-5abf5210cfa0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68afae4b-6fb0-49c8-a94e-e63879e4c296,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\HELPDESK,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58298881-9e56-4674-a7fa-09bba0cdf5f3,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c368732e-6475-49ee-a016-0ddd0f529746,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,363dae8e-56bd-4b26-9095-e2c496d2ebd0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df8c476c-ed74-4f3a-ae81-77568045ea02,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddcbec4a-7255-4af8-b38c-7fb6dcdc98a0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31cbd373-c974-4721-80fa-88c687dbbaf5,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d054758a-c569-4fd9-8085-048615a226e7,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bcd68fd-86ca-428e-9fbb-e962d7789dc0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b44a915-e718-422e-9739-fdbb1910c046,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e75d759-4af0-41b2-86dd-e05863cc7e1f,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3be728c-b94c-4861-b8ac-99b0ce43f6a3,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,136c3c7d-e305-48cf-98a9-178923d55fc9,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56cb911a-4a15-4331-8e08-476da1c0376e,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\DEFAULT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e6634dd-7fe8-477d-a242-95abd9a630f9,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\RECEPCION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4bc0515-c5a3-43ec-a68c-4ee93637043c,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,45eccf13-1000-40d7-a962-d677053e57f4,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +\SHOP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6cddf0c9-ce3d-478a-a90e-301139187077,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4326a80a-6620-424c-938d-a6872cad790f,"4/16/2021, 9:18:23.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,333d2268-4000-4034-9daf-500933de21e1,"4/16/2021, 9:18:23.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3eef2d3d-d6e6-4b1f-9a11-044b88532a41,"4/16/2021, 9:18:23.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1d0e30b-fe10-40e5-aa61-eaf3b5f2d535,"4/16/2021, 9:18:23.413 AM",,,,,,, +\TECH,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26f5553c-81c6-48ef-a43c-3554bc3ef296,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2ed79bd-dec8-4751-9176-722273169d19,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,75a67885-29ed-48c5-9fc1-d483118428d8,"4/16/2021, 9:18:23.413 AM",,,,,,, +\ACCUEIL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca558117-a131-4785-9473-11b15ae4f2a2,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,7abb54e2-c226-412a-aef7-80ec867ac959,"4/16/2021, 9:18:26.620 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c43fbdcf-84d8-4861-9965-126e6533b815,"4/16/2021, 9:18:26.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3752 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0521c3be-7213-4031-8f86-82d7e4eb3de9,"4/16/2021, 9:18:26.620 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f11cd38a-aa38-4c92-b8b4-e6bd1a815918,"4/16/2021, 9:18:26.620 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,989f5405-7532-410d-a205-4f0be704e221,"4/16/2021, 9:18:26.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8532 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1992df97-bb6e-4c17-900e-8db41640936e,"4/16/2021, 9:18:26.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4868 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,815d5544-5f7d-4fee-a41f-3cefbbab537d,"4/16/2021, 9:18:26.620 AM",,,,,,, +\compartidos,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a37b29b-246e-47ae-80b3-30639a9e44e0,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,340b8e5f-f526-4742-8eab-baee68214295,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d105407-76b4-40fa-a7d9-1dfa631f5db6,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852c57ac-9678-4c24-b0ea-4ce472705284,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f3dddf2-0407-4b5b-9f3a-10f4348d5ca2,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c585fab9-e478-41da-aced-b3b571d7af9b,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30450c44-d77b-43fe-b84e-7e1f9d5989cc,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac71055b-20c5-41e7-84a0-955d69a4ba8d,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb52e494-d916-4210-9639-0397c2469f78,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\khotn,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a3160cd-8ad8-475f-82fd-8bdd1dd0f8b8,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc97d04-b5c5-47b1-b30f-6081493dc4a3,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c94e69-0aff-40aa-a041-1eb7046e2c2e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d5700ab-60f1-4a27-a8c4-0608744b8856,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44b5659a-1569-4fca-96cc-37e31ee1bdc3,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\test,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b04af824-00cd-4b40-9e30-bd69a91c844e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c439f3-33df-420b-a4da-689d8c318f1d,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed14b4f7-5ee6-4be8-87cb-c7a3f078de53,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5b8f747-4f2a-4c35-af59-a472e6f7e29e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b0d3d2b-fd5c-4cac-88f6-f5f9b54c42bb,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23aaac35-2cd9-438b-aebb-d519750acd72,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b078ab4f-02b8-42a3-9dee-777f696f8f7e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\praktikant,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,151a0496-7424-4a4e-8ff2-3ebc444290f4,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c303b3e-7f88-4394-9c56-4572f8b7c083,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef7f1bb7-3739-4857-bade-a256dc9d25e6,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86a4770b-e1d2-48d0-9f99-41f4b01b346e,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ecc112-a1f3-420f-945d-6940c9585aa9,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cbf61c3-250d-434a-b303-f3e98f101a62,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdf96533-b880-4a0a-96c5-386625eb82c1,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba6ea35e-417b-4393-9b45-4feecaeb376f,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\byzz,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e7d3b4-9c84-43f0-91e5-0bca9010ccbb,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ba7c630-0b7f-493c-b3f1-0114592bf93a,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34985155-7397-4831-a475-72f0e9f4199f,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71b4ad6c-1d70-46fb-a3be-4edcd99ac454,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e3f79ac-4467-4e5d-90f5-b16eddb50400,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fd52be4-142f-4d41-9446-fbb24981c42f,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d316da95-4b76-48ef-9d20-38683240af91,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2acd6df2-d69f-44bd-ab34-dfa3626b3c9b,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\gcuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0315e9de-6adb-49ca-90bd-9cca1ad92ae2,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9410949f-277d-4a44-8d6f-20e454288ad7,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a65ad1f-58fa-41c3-b0fa-8432c30a0d7c,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb809431-9e91-4c9d-8930-c8e96044d69c,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8d025c8-28dc-44ee-a26e-6b1ba0b190b7,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\sale,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe6b5c7f-bc97-420a-9451-8991e9dc9fbe,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b883217-76f7-4f9a-8997-51a8f4b3d568,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3741293d-9330-4e4f-af4e-2f6021f1c6a6,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05cdca6a-9d28-4b09-a968-432cb5012bfe,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b890f698-1a5a-4061-abd9-ebd3d54ef145,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe7a585-9feb-445d-84f9-898d2567ba2f,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a076e85-e370-4632-b8b3-3fae5e902dee,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11adb88-7dae-4fbc-8734-50b952b34126,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb4f3469-9239-435b-9242-fd1e91297ca3,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fc6e45b-7500-4235-b0b0-ef23c2939443,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc64264c-0cd0-4dee-82ef-f57da090cf1f,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa8bbe9d-e95d-4dc1-b19a-c8edca5f783f,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5bced83-2c8e-4ef3-9f7b-a2d97a045f51,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\OVN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae835869-ec65-4a5a-b523-3c7705cf5802,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef233fea-1bbe-4fe3-8beb-9d5e70bda37e,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,570e3d84-797f-4f8e-9378-be1ef4480e03,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46127cb7-6e91-4ac1-b6f0-e1642372ba48,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4f7d582-9261-4524-a884-22877d15902e,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,659b8513-9383-45d7-a5e9-22783f88aae7,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1f598c1-b153-4378-80fe-9cde28693efb,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc5f38b2-48e4-4dc5-86dd-1c8d274d7faf,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b887a49-82eb-4a11-9032-e9818b715fd3,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab5462d6-1314-41ea-80e5-0e3055b6a42d,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04566cb8-aae7-44a8-a2ee-3639616df404,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\user,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c2d309d-c389-4d9b-ab76-65c319cdcf95,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46610329-af5b-41c6-9e81-bb0e291197a3,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0422ec0-263a-4d6f-b5ef-62edab3cdb26,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d2ce200-abb5-429a-8d95-271cc3cef471,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\PC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f31f9d1a-b5bd-464f-91a8-b75fe2fe90b2,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fefc4f15-f93a-42a4-bceb-e0bf15e42670,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d329db4-f64f-4493-a453-bae710dedc86,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e038719-1cf7-4be4-859f-8d43856fa4fe,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948ba1e8-88d7-460f-b9f6-fb5153b990a3,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9f6df99-d6c2-4bb7-b971-722f148ba776,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7964b377-4b01-4cef-a4e3-340f278bf226,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b7cf3e3-c1c9-476b-8718-d58f5d45bb53,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60144bc8-cccf-47a3-a753-05f2f3a500ff,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf12691-cd7e-4067-bad4-e05d70799d4b,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60a820a1-ceef-402c-82fe-222ea83259e7,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bb489b2-f74e-4311-b1ab-2552b45a5acc,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b51a53ee-b835-4a13-b67a-56f3b4ad0f0f,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba038af-708d-48b4-96c6-65e9bb10e836,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35e9adc0-deeb-4bc8-b839-0c80ab2455a8,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2f93e46-2383-4832-a101-8dfe605ea666,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\POS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f803d6f-0478-4b95-9f95-ba7792e8641c,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6406066e-699d-420c-880f-3afd098a313c,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1c7241d-4538-4446-bcb9-45a93e5a24bc,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f7a19a9-9a15-4a2d-9203-cdaa215d4afc,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47b1a192-c262-46aa-98b8-460fece697be,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74a72b94-04f3-49fd-8c6e-9efdc156e3e2,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0afcb16a-db19-4346-9bf7-8838175175b7,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5ec18453-5b25-40bb-8f07-62c41b82886d,"4/16/2021, 9:18:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,009423c7-de89-41a4-9372-6a0ed52b7fa3,"4/16/2021, 9:18:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3352 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,67484e34-5bbe-4cb8-98f0-71e42fc1668a,"4/16/2021, 9:18:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42de3d48-dadd-43d1-8dab-b850ab6da121,"4/16/2021, 9:18:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ade186e7-250f-4277-b31f-2f9840ebd2fa,"4/16/2021, 9:18:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7d8c1cbf-d4d4-4d74-9b8a-10b914e05f3c,"4/16/2021, 9:18:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12316 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,05259742-5903-4648-b162-e66c3f09807e,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c5dff0dd-8f33-4dcb-b9c0-1cfc402434d7,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7108 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,91d9cc39-101d-41ad-b817-e9ce30730027,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,eb42e810-feb2-4397-968b-af9712609b70,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13072 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9ca6e53e-0a85-4b94-86d5-3e9dcc49cc64,"4/16/2021, 9:18:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13004 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,dafcd013-366e-417b-b9db-5be8a46d0a76,"4/16/2021, 9:18:57.007 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b03c51a-f976-4af8-9830-0c7184fe8852,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\USER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f63bb2b8-7743-48a3-9236-f3e5c5e210e4,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\SOPORTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e2d0c2e-54ad-4c81-88ae-6c76f6a1edcd,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a789f8a-106b-4caf-b214-107819afc0a3,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\AUDIT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c397fb85-5c4e-43e1-8ede-cbfd7e78f574,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01d0b4dc-e020-4cbf-9c5c-34f7a1268fce,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2c681598-eb2c-408b-8554-d7f2deefc11a,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3c13256d-54fe-4549-a2ce-0a269db640a9,"4/16/2021, 9:19:00.617 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3560 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,99796845-70b9-41a6-91bb-503745aa5235,"4/16/2021, 9:19:00.617 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,96b67f78-36c5-4754-b4e8-51797816e4cf,"4/16/2021, 9:19:00.617 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,04cf9206-e23d-4cb5-ad25-3a758466d58c,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3feceabb-11c0-455b-a117-736b131ecfbd,"4/16/2021, 9:19:03.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ed0a2560-581f-4e58-916d-648d6b5ae301,"4/16/2021, 9:19:03.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4a1ce0ce-03dd-41f9-9464-477cd40561e5,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d4300a3b-414b-4051-97e8-8f465e5d53ae,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bca76982-fa31-409f-8790-d0e16d9d3176,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,47297c50-07f9-43db-acbe-0b262c66908f,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3b38a88e-f3b9-4cba-9fb2-06c38c42d0b7,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,faaa3c90-73e3-4363-8028-f3eed6bdfb1f,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,06b144a9-e421-4e20-87d7-2e4384b8b49c,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0c66120-fcef-45c0-a729-624a1d61d53e,"4/16/2021, 9:19:03.063 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c0a3142-3161-4905-bbd7-713e3a08c06a,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59633b96-bd24-4501-991f-45629c4e7ae0,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\classroom,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d406c85-65fb-487a-a1e5-e83a672b023c,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f463ef2e-5ca2-4ae3-ad44-f662d029c78c,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbd34f5f-065c-4248-a26a-5338776717e2,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b68336-595b-46d2-8519-2e84be9276e9,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad057a52-7d1e-4586-afee-5b2c6d9fd35d,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d635b758-de3f-45a9-a417-5777a51ddc29,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20cf0b1a-2110-456f-bfb1-2de9100478ad,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\sandra,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce856550-8abf-43d4-8f26-9bb8440fe659,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6a5697-91d2-463e-a3be-a7d6bed8c209,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d91553b-1e44-40a6-b943-80673bd0e32f,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c169d5b1-dfff-4717-a6d2-518960fb8969,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e8b7d8b-7c37-4ac3-a612-691344b40ebd,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b573dcce-92ca-4734-a5cc-8bdfb1ef0e5f,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40ecb2f0-6e78-4611-8b33-489cecf7d706,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\user1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41a0e5e5-9ffe-4a22-a234-f8011f1cf130,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6cee24e-ac1f-4df8-a3c6-e30ca1be6896,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9911e2a-7561-4238-935d-a89180d0d549,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a64a7ee-e9e8-4b5a-ac10-547dfa6071ed,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfb62a15-86ba-4252-afa3-5ce61bbabba8,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9e6a013-bff1-4125-81f6-d75fec24e717,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d191872-b991-43a0-b607-893a0bebeb7c,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974fefba-ea0b-463b-8f82-3429df27557e,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed23a725-fc55-48c4-ae88-2af2bc1afad1,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,032f6964-a864-429a-ab5c-4c502a7c005c,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84afdb28-5b48-4104-98ce-8a565355d130,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\giseli,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96cd035e-3b2d-4f67-a214-3d28570c258b,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebb60f2e-0cbb-4b2f-b47e-af7b4867819b,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac3cf409-d780-4906-b36e-09fd341e67d9,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a076c572-56f0-44d6-bf6a-ecd674dda52f,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58706630-2b17-42e1-ba92-19ca92bba76e,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d429ca5-321d-42e8-ba29-1484bd86e109,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba38ef1-660e-4561-a9c9-f1bd64f555de,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\user,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6fcc6df-102d-4b56-aef3-d81a08d40b9f,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,765480ef-fa6d-4b08-827f-63664e4753e7,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e58ae94-4d04-4956-8314-c8ac03d4233b,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,427e3750-af5a-4bdb-b805-0fda1c05aeb2,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be8c640-3b83-4af5-8a12-d8c6d3897313,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37726295-d25f-41c2-8150-4268f184fb0e,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5585b7cb-dae1-4014-90cf-0ae97d749a0c,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ekogan,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6880e477-0b47-41f5-b2b9-086375680de4,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c9d42f6-a8d8-470e-9762-7d21d95ccbd8,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c0b9558-e063-420a-881a-92e77c67636d,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f18f0e41-3b11-4163-b989-e0c2642ab5a3,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b06deb-e5fc-4a79-9a64-8ddeb2097f1d,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\priscila,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c83136b2-3cbc-4b60-9441-226aa39ccc94,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d60b3be7-cbd5-448c-b177-e41810d7ed9e,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdf1eedc-3f9b-42f0-a17d-bfaf1d8d9017,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63b50f8c-b71a-4798-bdad-6f179b44b2c4,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5726c143-f004-4ad3-86a2-78b2289d44bb,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc298905-a625-40bc-915f-54e17559cffe,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,951ccdff-3366-4a37-b11a-a6df37632075,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acafc0a4-ffc1-4305-bd03-b203d2ae006d,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28c4c85-1187-4fc7-919e-75eb0a860ec7,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86c7fa41-5029-4fcc-8c7c-04ae9bf9b086,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b87da15d-13fd-43fc-a628-83c74ba43262,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\christene,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b058cd7-1284-43eb-8dd8-13e356569a0d,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c376072a-8889-410f-a3bd-dbade3015ff7,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a7ce9f3-1f77-413c-95ac-6be4a34290d0,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e92d332f-1f5a-490d-af37-837c00fb9540,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8697d1b4-c176-4e03-b333-452a5fdb8b68,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d13d07b4-a34b-4f4a-abf2-da54c75fcd3a,"4/16/2021, 9:19:21.140 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2f02a6-2f2f-44f7-9a5f-4f387440d289,"4/16/2021, 9:19:21.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6152 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,32dcc7b6-fdb3-4c87-b9c3-6e6871904e02,"4/16/2021, 9:19:21.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4176 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3303afa-cd48-4f7d-8378-e07a8489e7cd,"4/16/2021, 9:19:21.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0015bc-b347-44db-b9fb-edebe90e3b95,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7255ce9c-ace5-4e12-9add-4e8e11227e80,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\mms4,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,405cb0fe-2b20-4d96-af0e-dba08e3c4b11,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87bbbdc3-9b3e-4d5d-a0e2-8afd1c902167,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4da34260-18e3-4afa-838f-578c15f68194,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\test,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fca539-f40e-4e5d-ae02-c9ece3d77dad,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de839633-c5da-47a2-9e12-7989c8e11cdd,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,908508f5-16b7-4a7c-b0b3-f23653b80ae0,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee20d02-10c8-40b7-acac-16423410cb17,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b7bd3f9-66fa-4a2d-bbd9-9b1e94f286a5,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3100a891-3cb1-464c-a23b-f6e6739cda80,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b35c08-469e-4578-975c-a9849a4fbcde,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d77955-9d6f-4723-bc78-e03a7cb113d8,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\printer,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,291940f8-6335-4339-b79c-c98daecec80f,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30f593fc-55c9-4d43-9e0f-0af7506fffd9,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3e707f3-5805-401c-9f54-b5891e42e5f3,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfd9e2e-df1d-40bd-9432-9b6d8ed49ab3,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1a78c4-9fef-473d-90b1-f520341e84df,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69540d67-04dd-4936-9df1-6f609fda7c4d,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13ac1bcf-d8b7-459c-9b9e-192425603f19,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d725826e-a8b3-4ea9-9e15-cb63835ca4c5,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21e36f92-6ae5-4162-88b4-792dba6f8346,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\isii,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb1b6a6e-e75f-4e0a-ac24-35cb6943d5ce,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18428f09-f19d-4420-9b5e-cfe49410c1f3,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac4de375-e62e-4327-8cae-de9f64559ab7,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\SHIPPING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c923c8e-2834-43da-a70f-db3bfc357a63,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c04128f0-d4e1-45f8-b927-8db205b6b949,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5936 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e503033c-febf-41d0-a4de-37075104f87a,"4/16/2021, 9:19:30.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d42bc089-fd7a-4446-8643-e858b5768a7b,"4/16/2021, 9:19:30.408 AM",,,,,,, +\MICHELLE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,be171d0c-8a3d-4d9b-849d-2fd07bef8bc7,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d1918395-72fa-40c0-9ea0-698e89b1956d,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ed83c4a-bbe9-458f-87f2-f08ca2a220dc,"4/16/2021, 9:19:30.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8100 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2bb8911c-dd8b-40ac-ae84-a9a4b031f50a,"4/16/2021, 9:19:30.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a11d4561-281a-44e8-880c-fd5c00d2ae6d,"4/16/2021, 9:19:30.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8db4dc4-5488-436f-a2cf-17941271d040,"4/16/2021, 9:19:30.408 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9fe08658-0e60-440a-8028-79b1e67ec418,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,00615084-cb48-42d3-9882-358b42f1622a,"4/16/2021, 9:19:30.408 AM",,,,,,, +\SHARE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,47218769-c043-424c-9f2f-f44cb80db41e,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +\FAX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a3a53f2-4e90-4e47-9444-ffdad62e4e05,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,78d12a8e-d954-4280-8fd2-911293a7d63c,"4/16/2021, 9:19:31.619 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8216 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a315e1d4-5593-42d4-b636-e43f4852ef9b,"4/16/2021, 9:19:31.619 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,65fb96b7-eeb8-43d7-bd9b-ab1bd90fe615,"4/16/2021, 9:19:31.619 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7196 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f04e0f27-fcd1-4624-a8cd-e74ae98849fa,"4/16/2021, 9:19:31.619 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,30424537-343c-49aa-997b-d228319cd672,"4/16/2021, 9:19:31.619 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb343117-b1bf-4e6a-b90c-584a4864d82b,"4/16/2021, 9:19:31.619 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc21946-eec0-4357-a76e-737be0d9b061,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\dell,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1d5ff93-146e-41e8-9a69-d667701e68da,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67aec2b7-b0e6-43db-9140-f7db462ca0fa,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5c099b5-1160-4f66-9a43-4650dc1df45e,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf412065-0ad5-4101-b2bf-431a3d549fbb,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,424034b9-97a3-4b96-b30d-c405571f12bd,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\almoxarifado,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e2afc6d-4c11-4507-b97e-2e21441da331,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d78112f2-0f6a-49ab-a119-911f94a43f3b,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01e83a7c-1a19-4af5-b8e9-ea99341627c1,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,004bc48f-e130-4f21-b497-897d4e8df6a6,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ef0a988-a5ef-485d-a7e3-f3a621fae18b,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\cctv,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8264413-ba73-4b25-beb8-d15f216b5682,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c76c72-8d76-403d-af61-b343b491c842,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,776dd623-6b2c-4bd5-9133-556e587427e4,"4/16/2021, 9:19:34.177 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bf6ea36-fe79-4b47-b06b-d24d21c7d7ad,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e311ed2-2f16-45b2-b857-2593d69510f0,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\jinny,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d37bee60-9338-4c4a-a527-47db184ee71b,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bf073ec-9fcb-41db-a393-1a5aad506bb6,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2faaff99-3b66-4d8b-b879-e313bcc71400,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cde8000-91c9-4ea6-9550-5d6ae358614f,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0afc450b-d146-4252-8201-db2fb5f6cef2,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\digital,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6a59981-8fe3-4ee6-9e3c-87ac8f155a9f,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3cddc75-1f61-4295-bfd2-6eef7f1f713c,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f698c1-331c-4b75-b14c-d8e985f3458d,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57991563-c81a-4830-b620-24a0c955ba00,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf69481-4ad7-4523-b7e9-68961c9ea6a0,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6f86d39-f82c-479d-bd65-a8d5a39d07e5,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6b572f7-40aa-45b5-9a7d-cdc2653b248f,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e75a0c2-63a2-4e87-a147-a8dde63b7453,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c7e46512-e594-4b91-940b-2f2a730576fe,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d934e202-1214-4e94-98f0-20772de77c64,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d20e7bff-28d5-4ec8-9aab-6368f715cd3e,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1c94f44c-5c86-4fbe-83c7-6ed203674eb6,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,68d2dc9b-8660-4e3b-ad1d-db289ef00fef,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,50c1ff66-b85b-40bc-9b1e-eec93ba3e9f5,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3c2eefa8-bac7-4381-b01d-513b0404e5ef,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,698facad-c0e0-476e-9540-c69645f39824,"4/16/2021, 9:19:36.065 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,368b17bc-cfdc-4ec4-9f75-c9649d5bea4b,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebb1a925-f22c-48d9-a3fb-5c521d67f23e,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fcdd1c3-024d-495d-98b4-733414de79ca,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25ae03cc-c9b6-4275-87ff-74032aaeb061,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d59095ca-880d-4ac9-a2f7-9dfa5957f3ab,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b93aec3-2012-4b17-bf2c-38badb2108d7,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b33a842-12e4-4ec8-9e9f-12a568605cd9,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d921f914-776c-4240-8acd-1767f41e4547,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,988981f4-f4b7-4e84-a9c7-9d2bb57bdc8f,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e62eccbb-94c6-4914-a097-8684c269696f,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d817eee8-40c4-4ae2-9032-0d3eb41ba88e,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,187597ee-78fc-4272-b060-e29a77742e36,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68ba4d78-4d0d-462e-b75d-e32d143cfb85,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f586baec-9847-45c3-b89d-bc2ad83e2cbd,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\USER02,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcc8ed43-cbfb-4e57-a9cd-023f02badfc9,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e147291-f132-42d8-8277-e7caa56c249d,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b843c3d-b181-4fbe-8c74-970b21f0efb6,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdae98c9-2ecd-4f98-8ca2-a0f0c559ed7d,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f73259f4-8d71-4ae3-aad3-f8ddc97061f0,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b17abbc-fb01-4dd1-b9b9-ebedf58695d1,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc803635-5f5c-43f6-bf47-c608e3fd44b0,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7be0eaee-1d63-41de-9098-edf94110ffa8,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9156e419-fb56-44e0-bf46-9952194cc39a,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d004bc5-064f-4feb-95df-328f0ae3c539,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f1eb8d7-b58d-4861-b189-4d57698c9dbd,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5b62cad-cc83-4469-8c45-ad6a1f2407dd,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49ed660c-627c-443a-9462-1ddb713c8694,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0348e9bd-3e9b-4c6e-ba86-b792a54e17c2,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62d1edbc-15c7-4409-860e-6a8b7285eaa7,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e98c838-2627-408a-b8f8-1e1bd3a35b94,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\visitor,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ac596c-d444-48d0-ac00-56d4e805c19f,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5597be27-0d6f-43eb-9dea-e8a0679f7908,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6cd900-e513-471a-8dd0-da21f12bbc95,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c303d8-18d1-4158-a47c-f65d39113eec,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f009f089-4995-4fc5-a37b-04b7d679f25b,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\asp.net,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1e3ab29-f4ca-4787-9dea-c227764b2aab,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,157bd83f-b627-4130-a51e-fc5bbd1fd742,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff9a408d-1e49-4317-9686-39b9bd2b1e8e,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9ecd3f2-1594-4598-bcc7-133576353b3b,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5a67bc-c11b-4805-9f08-f1bfe6c14f44,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\perini,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe58bc8-5f0d-4658-8ba9-6612f2c03b0c,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82dcc8e0-1987-42a4-bb0d-4a9e9a70f7c2,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5091602a-7183-48fc-bd2e-6b8628d20ac6,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcddb1d2-839b-498e-834d-1b5a8242ac6f,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d10156-f073-4609-95e5-171a2bb6fa18,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1fd037-aac1-479c-8fb0-542db2167016,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c9be44-8091-41e8-83fd-309d2be4b30a,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\student,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c205b87c-da8c-43ba-a1f0-e62c8e9bd557,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d9aed65-24db-4333-8b61-eac90a86f5ad,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c48edb85-c20c-4ab8-9919-593eadd35842,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78863dec-6711-474e-9f43-1e3229c4267a,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b2c2732-3a90-482f-858d-2f6ee663e58d,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27a39143-1f1a-4560-9d52-993a5459aa74,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e80c6bfd-fb4b-4339-a18d-cd51717f41a4,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5df1ab-3098-413c-a260-61de4bc55d70,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\gardi,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfd47125-74c7-40c1-ba33-c100acb7f497,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c78ef1af-00f8-4599-ace0-830b46ad94d0,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce128b8d-f18a-4374-b3ff-629f0c989ba3,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1489fd92-0560-4d2e-978a-80245a8bfe3f,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8465c0fa-2e08-4f78-b75f-a19988f3268f,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,848c5164-7f27-428a-88dd-8843a111b032,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d06536a1-9eb5-46b6-bcbb-5d8e03a5bfa7,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2ebc1a-bbd9-4a69-99cd-46e5ff29571f,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2af05f90-e412-4d88-a533-8caa8f4e483c,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\user1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87e5da60-643f-414c-9b5b-28f927154340,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8924b1bc-8244-4d38-ab62-0fcb44daf420,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7825442e-9dd3-4ff3-a64f-3ee1e0854cae,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,440ad9f1-581b-4ba7-8a21-afa11d9de568,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab61e14d-734a-4f2f-9059-b6934e7fc23b,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,e742ed18-9db5-4db2-abb9-9c617451131b,"4/16/2021, 9:19:45.871 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3464 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ad90d7a4-ea4b-4608-acc9-dfbd9f4ad43c,"4/16/2021, 9:19:50.286 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ce94962d-c51e-44ae-909b-fe5add739725,"4/16/2021, 9:19:50.286 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da0935d0-4de6-4c85-8139-ca8b1e935c33,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec343a4-7aeb-4bc0-895c-f8bc08ac1b23,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae7a3876-0c75-44e1-ad99-9a280589f3f6,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b68241-9e08-4bd2-94c2-9e90661c2942,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c05bc8a2-2eb0-4feb-9031-06bbc207b913,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dc16139-c2cd-4e91-b34d-8fa4b6c87a14,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de434843-b4c5-4156-ab6e-877b810651c4,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07e73302-d508-45e4-97ff-43448e729b9d,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6248489a-cd5c-482c-934f-4d643a9711aa,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1525a633-8f7e-46f0-a634-a8ab965397c1,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91ddca7-b00e-43f4-899e-273b513abb0a,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd9dabe-abd1-4928-8230-83578105e746,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,104471ea-5aa3-45b0-ac7e-ebce48f937a4,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e840a13-ebbe-45b9-905b-68abc8aa50ca,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\meeting,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7543bc15-a8f3-412c-970b-b21424faabb6,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35f3fcb4-aa31-4873-81d8-ef4eddad4111,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30c32365-bb2a-4136-af98-6095766141c4,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a65ebf27-486e-4964-a8ee-9d14b7997d85,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d259be29-af77-4613-9fa4-ad4d3156d5cc,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa6d07d-1afc-4ab9-b645-937db842180d,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10b6ad18-2577-4cd2-a728-d093d649f641,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\fatima,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfa4394c-975d-46a4-9889-a40cd275c777,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b53b5458-8f4b-4a42-a468-e1998db32590,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e34712da-49b4-4a80-beb3-0b94de43e9b1,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23cce481-9776-49a7-b204-0f7ff4c2c6de,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,960e9a81-3549-4df8-b3b6-999cd2b95565,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\DELL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e81a422-695a-47eb-a55b-340ef4eda28f,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89213552-72f7-4d2e-90d8-0e45c50fe2bf,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d02f331-4de9-4157-87b6-40140c01a483,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03b3923f-7c16-41cb-8b94-5ad220d044c7,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb58978f-d12d-4934-8361-6fdb7936d384,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e0698e0-b23d-4f03-a4eb-ada0177082ff,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,767d582e-ac04-41cc-b251-92ccd91527fb,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ce71f6d-1599-4ce7-983f-2503705ab9b0,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c88d80d-7940-4109-bb00-b7584d18ab5e,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0739dddd-e850-4618-acb9-d2a423783884,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03979928-d2a8-421a-bbb8-295625e9290a,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb18dbd4-f644-4a59-9005-734d158058c9,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e636e471-56d4-46aa-b5b6-297aec5f9807,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a337d53-62b6-4736-aaf5-abe4e5129928,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81d49fa9-05be-482f-af48-916df82494c8,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\OWNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89dd36f2-5e91-4741-823c-5c252377e594,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5972b79e-bc86-48e8-b873-cea473fe4cfb,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e48a32ed-79c7-4872-9fb9-dc9bb296fbb5,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,708a01e2-0905-4e10-996d-1c0b49edece0,"4/16/2021, 9:19:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,08cbc015-7a02-4cd7-acfe-11cfa8e5c953,"4/16/2021, 9:19:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,28eaa858-1e6c-424d-a63a-6ad728f8de0a,"4/16/2021, 9:19:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1cab037e-4713-40ac-b559-447e110823cb,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5588 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9c6563e8-5acb-4313-a081-80ab8863fb0d,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1eb5764f-c14b-4936-b20b-d1ba60266381,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4896 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a21328a0-8447-4345-a8a2-f57bc55d6199,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5276 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37bb856f-d3e0-4556-a3b8-a48211b8923e,"4/16/2021, 9:19:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,857254de-8727-4e98-ae44-7d4e2ac68713,"4/16/2021, 9:19:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b01ea0d0-75f3-457a-8e90-9b0d3d3c6031,"4/16/2021, 9:19:52.730 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc383736-2832-436a-a0c0-48355a2fd3e6,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c242d2-1372-416f-8de8-e86f33ad9c6f,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a96857d0-0668-4706-a433-07d3078635be,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f3e5d7d-a73c-47e6-8dcb-2ed77b33758e,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca441905-b307-4f71-8d7d-53ae24a21f48,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\contabilidad,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abc00704-054a-41ee-bbdf-ca142d3b29a2,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee4de243-c602-4b94-a564-d6c2959f6dc8,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19c2b6f1-117d-42d2-a197-bf023a7ae7d0,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add7b405-119d-4b3a-adfe-cd082738d377,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceb411f7-eb98-4be8-b087-fa34391188c5,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\PC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16af80c6-10c4-4a63-9fcc-0cd8e7b3c44d,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\user03,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf4d53d7-c409-4865-8e3c-18db83e05808,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eb566aa-06ec-43df-b9ef-40d51bbe06a1,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,055c9f8a-a5df-4ff0-9566-5f9f44fb3e2d,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a85ea6a-58f3-4d3f-ae7c-23bb605acde6,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0069af41-898c-4b5f-b159-ae70d63ca668,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\sal01,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38236537-456c-40d3-bdbb-96b4ad3bb9a4,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee12df3e-c660-4018-860c-28ee0a546c49,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07756df4-134c-4007-87a5-23c56b9dea4a,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a01e5d9b-1734-4e02-a4f2-f19a42008d3f,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,600a47b7-70b7-40a3-b2fe-50d7b3189647,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3c71851-fc58-412d-92ce-1ba09a27f2e6,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7bf24fe-08bc-456e-ae6d-5ce2c08c2b34,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2beb3fd-8877-4af2-a76c-89b64d818ca4,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\admin,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4a2028b-9341-4847-8d04-f5289e7540a7,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e0719312-2ab0-4729-9543-d6583a622a4c,"4/16/2021, 9:19:57.047 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,fff2a4a6-6014-4606-b27e-b5b7232a7fb6,"4/16/2021, 9:19:57.047 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac794c6d-7d6c-472f-a5d2-79eef954602b,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11156 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,14037b9e-d227-442d-aa47-e6139236c610,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1f0711d-ba00-4f34-b20f-2d23e5d35bfe,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d7a9e4c2-0188-4dad-b419-1e4776cd1b4b,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6836 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8f49c3b7-00a2-4504-9c91-43cc93c59195,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9212 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d25b93f6-b4fb-40db-9066-8e841ec8aff3,"4/16/2021, 9:20:02.621 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f512df1e-14de-45ed-8ef2-57b83d987695,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8692 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1f256feb-4016-4ec6-977b-b4c957ce151c,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,97fe2119-c5e6-49c0-8d1b-f794ae0977b7,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,54877b1e-be8e-4ae7-be1d-aaa485b31790,"4/16/2021, 9:20:02.621 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x41a4c03 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,39a793fe-e7be-4ed4-8c9f-b715e3e90e5d,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,a7cd2254-5446-470b-b50e-68acc146a2e3,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,f235ed1f-cd19-487e-bdd2-4ed4a7349650,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebe65330-774e-43b2-ad7b-7da539dd0a91,"4/16/2021, 9:20:02.621 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5bee6ddd-fa14-4566-8866-ccff6e3fe655,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ANDREA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ce487108-b211-4911-a730-7168e3eb18f1,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cb1d9e0d-b826-4aa9-9b58-79cdeba52ed5,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\SQLSERVICE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d22876e2-69de-4911-872e-72486e55e42e,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,869d91d6-48a0-4408-8822-d599f6da6acf,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c018fe8f-966f-4e66-9668-05af6723c009,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,078b8344-ebe3-46d4-81cd-083b92d23861,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\TEST3,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,55857ef8-fe74-497d-b1d9-061309957e5e,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a8ee048-1f0f-43e7-b745-efe71a58eab6,"4/16/2021, 9:20:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4dec154d-2e54-454b-9850-1a5706a25409,"4/16/2021, 9:20:05.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6568 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,85e256f1-aef0-44f7-b22e-939e2c60f42f,"4/16/2021, 9:20:05.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1476 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9cacede-0af9-4da7-9da5-88d18a135f90,"4/16/2021, 9:20:05.411 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93aadcbd-0423-4624-bd5c-e233d8cbe09c,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,496843dc-096a-43be-93cb-d00cecfb0ae8,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e7b737d-602f-4608-9484-d74f2940f073,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5dc51e6-fbe7-4817-8cfe-5afed8332ab8,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b41f29-03fd-4966-b710-856319d866a4,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec213e0a-9ea4-4b73-8cde-5347e6ad3182,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,182bb7c8-4c26-48ca-a8e8-df13aa5f0e46,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b885548-2e5f-4601-be9b-29186174c1de,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,454ab236-dffe-4a18-ba33-788f18ab87a4,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\admin1040,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9da5ce2-f452-45a9-b7e3-69047b5baafb,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f915bba9-e294-4f79-8217-91a1ff830b18,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\training,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86099665-80e9-4239-a71a-0e5140de288f,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7500532e-0081-4353-8979-39da20fefb3a,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd2a7442-2339-48b0-a894-f012824b6c96,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d458c45-7709-4766-bb58-f8d2dc34989b,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2efc75d4-23e4-435e-b7d1-d803a63a5f85,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fc871c3-f6af-4391-ae50-c43eeca9a112,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7882b6d5-35af-45fd-b097-b4f13d3ae49f,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\sistema,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6a62fc0-ab83-4411-8c4a-d293b103a9c4,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6863531-edeb-4761-a5a9-5e06a22ed24f,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5083e969-3933-4b58-bb2a-c85164ec39be,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c6cddc8-52ff-41fa-ab06-268ffda93c5e,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,866aa48f-f468-4a35-ad0a-77e556f27ec9,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,710123f6-45af-4487-90d2-dcefb7dcfb95,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90cd7992-6e4d-4e85-b4f9-a26cbb60d303,"4/16/2021, 9:20:05.752 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,000e406c-83fb-468e-be47-2c709e744008,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5568f1c6-0ab8-41ae-9d7d-5bf36d2bc757,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff5e5302-ab2b-4597-b70f-e5c9a1cb9a03,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8bf8350-ce92-4511-b78f-7bf50e7ce50f,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99b1f757-1a97-482d-ba94-02a5f787699a,"4/16/2021, 9:20:05.752 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fbeeebc-5732-40e9-a404-4b1b160455fc,"4/16/2021, 9:20:05.752 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca773371-e717-46e0-938d-67969dd27a5d,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,329df517-f355-4677-b9a8-226d2ca130fb,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8027d348-98b9-4c61-ac06-5d0a5a45c811,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c05c3d40-5f6d-43f8-9136-6f41e1b9ff49,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cff0de9-8e36-45ed-a42c-28abdc71b4e2,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1496da77-fadd-4096-9246-686ab0fc0ce9,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abdb3393-1d96-4e2b-90a7-0fdb392372a0,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\INSTALL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abd6ee2a-b077-4fc2-9fbf-c8ccbe98480e,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e18fc951-1583-44b5-897a-4ffc94671f03,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3241aed-d393-4b05-8d2b-75d0e0089192,"4/16/2021, 9:20:05.752 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,751da7f4-497d-441e-9d8c-3cef2107adce,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c6bfdf8-45f9-4dcc-9432-e5e2bf118686,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7e73d0c-7810-44ed-b89c-76d2fc83c0e5,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dad1537-fd63-44f3-80bc-696ebd7ea15c,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb642ff4-3dbd-4483-a5e9-86b0109fb80d,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7e183ee3-14aa-4960-bf3e-a4c98ec6fa6c,"4/16/2021, 9:20:08.241 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,59dbe509-0181-4cc4-a3e5-91f9054ebb1e,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2dd4fda5-7495-4db3-861d-4e3c2800e485,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0a6c1ae3-7abf-4618-90e3-94790d42f42b,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c4a0849b-914a-4e92-ad51-82548982f139,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8245ea06-1392-42fe-a2f8-2fdbfced5970,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7d2255fc-45fb-4a5e-b9a8-a474f1614e0d,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,021ae612-8203-4e4b-8e90-e748bc5b333c,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53d4d842-8b2c-4bb8-9983-22d0c9f5bde0,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23d38111-cbf3-4f4b-b351-1d69027d40be,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,32040f7c-207b-4883-995c-4b835ea9c284,"4/16/2021, 9:20:08.241 AM",,,,,,, +\ftpuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b039861-7493-4a42-a2db-49dff4c3378b,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,131573ea-90a0-49c2-92e8-0696d50792a6,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70014429-f937-4544-bb6f-73ad778c7945,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b82c37dd-207e-419e-b2a5-4d292c7b4a48,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f66e92a-bffe-4817-9674-ad6b9ba526ec,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\vpn2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1ec3714-3acc-49f5-98e7-7045fba964e1,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99d015fb-25ca-4fb4-ab10-83524ebdfeed,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1067901c-d19a-4e89-a42f-a1f40d5e9acd,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d02edb2-c224-4cae-8e35-4465d1b05dc4,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be885451-d733-4ddb-9fde-5d4d21c49af8,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847af373-acd2-4ad1-91b6-0bfa87d7591e,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c45b010-010e-4f82-9da5-5e73f95b4e5e,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d92e9c3-af1e-4cec-8bb2-20c0a3e2ac63,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc56cdd7-ff26-4009-81ab-49209d0084de,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df04e0d-4fb0-406b-a67e-2c9f8bf601e9,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd248dab-e33a-4cf6-8fb3-a3479db85902,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a08f811a-e1c2-4a5a-821e-88ffabec1be1,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\infuse,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,488a377d-d4d6-4f4d-b318-dd9508e2d896,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4418075c-801b-40b4-b3be-738a9372af48,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f44925d3-bf4b-4655-8ae8-6f0ef02c524a,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea738881-33f2-48d6-b4b8-dbaf5f0903a0,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9de9c1a-5fca-4f99-bb03-2cc3876bb92f,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d2701c-9a56-498b-a886-904f5adecf2a,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6c5c8c0-ae34-4549-9fed-e73945581d99,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ALDEBRA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb1cc82c-df3c-4c8d-bc4b-b5878a2c1dc2,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,192cfc6c-49bd-42fa-8c30-3bd7df2ebaa9,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9295b12b-6f94-4795-822b-254ca3455725,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8636c3ed-338e-441f-8c35-1a2da773f9bd,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6af2057e-386f-4176-af25-4a40ff7b5d49,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\agus,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc19c212-714c-432c-ac94-f972ea22978a,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e09c255-32ef-4f56-ab2d-42cecc6d045f,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,093a978a-5b66-4402-bd79-88ab0bf00753,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cacdce47-3319-4813-8d74-a61d2e961ccc,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ffb2b0-b23c-431b-984d-f6728e3f658d,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\sngpc,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9db6113b-297e-4e03-8ced-7a076fd50469,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,050a2459-5758-461e-9c07-c98f70999888,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda0d0c6-af3d-4ad9-8e28-7a37f60ff6a3,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\CRESSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d03b206-524d-4828-be1b-735811ecdb65,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1953eac3-361b-4595-a765-ea097bf714de,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d85e2504-09f8-4386-9570-f20b017b2026,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b92110-e40e-44f6-b22c-267f3bf61eca,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ricoh,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2ce7155-0dfd-4c59-ac2d-ee6128154892,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d6fbbab-ec1a-4fa3-9c99-cd2f17f120a1,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd0c7ecb-38f1-4149-88a1-85a92757182d,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c68aa616-1734-44f7-ac08-7786381587de,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7213a55-b35b-48c0-b9c9-e38d7e64b2c9,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63620e32-b815-4a34-aef7-2d808ba07f89,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\RUSSELL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c1a4957-4e61-4c5a-ac97-7d60d96e77f5,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\compta,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,116c6ddf-726f-4b2b-812f-59ff0a78bd72,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,189ff81a-9728-4d60-8ad2-852f612e7ca3,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cfdeafc-ff3a-4359-af51-42c2c195b97a,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5b9585-6c69-46f6-9128-50293ab5a4b1,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12f63ede-9e4d-4539-a490-9e1a279e4cec,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eec7f2e-70df-45f0-8a5a-5f586046925f,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57a71c0f-cfd2-4212-8921-5f2477edbeb0,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129ba1fb-2e01-435b-b3f6-7c75abb1b4c5,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84fdc9a8-e760-49b1-8087-7406933ee2c9,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb07418f-945b-470c-8be3-464eb03ef58b,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,525ac56c-9e03-4e17-9041-d2987f873c65,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4e76129-4b3b-4935-9082-5f16f27801eb,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ben,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df8444ab-f5de-4a50-8b3e-a9c13e51aa0e,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e5367f6-4d51-4d8f-91c3-b1f11cf668e4,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f016d8e-7138-4fb4-bcde-78af3f566ee5,"4/16/2021, 9:20:21.135 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d1a3bb-6d8f-4435-a062-bbc5e78adac7,"4/16/2021, 9:20:21.135 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9188 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,82a7bd2c-19c4-444d-ad8e-a4a1710e596b,"4/16/2021, 9:20:21.135 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d530a585-1f40-4b3c-8f10-1c3e8ec53d63,"4/16/2021, 9:20:21.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5fdd20d-f3f3-4b94-a269-37bdd79b560f,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f5eef00-d2aa-4b91-a355-84d8181f06f0,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0918f912-1ec2-4123-aeec-9d10123036cb,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fb233c7-ca00-4dc9-95f6-d173556629a6,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\bbg2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1009437-2954-4e05-9327-b4fec3a3302f,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a991cdf4-4b04-45a5-9959-950454452f81,"4/16/2021, 9:20:31.873 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,219680f7-fa7f-41b0-a651-086402f0371e,"4/16/2021, 9:20:31.873 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x241a9dd2 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f73f2fba-cafe-448a-9e10-dea717d39ecf,"4/16/2021, 9:20:31.873 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5105bda1-12d2-4bee-a7e1-09c41d72ab37,"4/16/2021, 9:20:31.873 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c626dceb-5b47-4e3d-bc27-edf7d01152a7,"4/16/2021, 9:20:31.873 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,737ab988-3e84-4513-b109-9db570cfd3aa,"4/16/2021, 9:20:31.873 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a1695ff-7d40-463f-8bad-8b428869dd7f,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28382dfc-8356-4784-8e42-4d0565640ac5,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d545234-0c23-4fe9-aef0-9e7157f8692c,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33832484-89e2-4fa8-89cc-555b0e8534b5,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\sales,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c16f811b-58f2-4ecd-a10b-3c018366ccb2,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5e29e52-5f52-4784-92ec-09ba083d5123,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d7dad3-cc7d-4f17-ba34-6015e66a2eab,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ffd1775-ff01-4dc1-9595-f45361a8cb85,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1985e8ab-3495-48f3-806f-d3be193a5138,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc127a58-c92a-454e-8bdd-3bd7b81d0a05,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0a29bf1-b3dd-4030-867d-4b99d7c0d7a4,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2074e66-5e5a-4c9c-8270-8437432fb7d3,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a4d131c-0526-43e2-8c9d-27acc631905d,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c036095-2e4d-47b1-ad2f-ce18e41cc4ac,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,780976f0-74ea-42f4-97f4-104eff595eec,"4/16/2021, 9:20:34.132 AM",,,,,,, +\tempuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ede0d4c-a071-4340-a633-93ca355051d6,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62471a6-0530-404a-ba7e-c578249fe402,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,152f4fd4-7606-4c7f-b6e9-f4c129e42eff,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,502dd5cf-76a8-45b1-ba14-19e02d35952c,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,443e73b8-113e-4e23-bc6c-cdbf01497b60,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66a484c9-aab2-49f1-a07e-8c253affceeb,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e7cc6c-847d-4d7b-8de4-13aaed7615d2,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caf17351-007b-440d-b8ad-389cad6603b0,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba83a76-578d-4dae-a2be-b66ece1322ff,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6d3c020-e523-4061-8e17-32204be9980e,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\TESTER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,60d64338-1d9d-4fe0-9de6-859e680ffca3,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1778dab6-ff75-436e-9e17-163c94dcabe6,"4/16/2021, 9:20:37.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0d8ccf83-06c6-4210-b157-951090608e3a,"4/16/2021, 9:20:37.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8168 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3d16148-8ca7-4a83-b68a-ddec9c0b7487,"4/16/2021, 9:20:37.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 744 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5b9ff30d-d1f7-44d8-a693-1fe192f23ca6,"4/16/2021, 9:20:37.413 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9515ebef-ebac-4c7f-9508-2a6bced2e8e2,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\CONFERENCE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48247b38-ea5d-47d6-8da2-43920524732d,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58a19f1f-8f50-412b-80ae-f7f136522647,"4/16/2021, 9:20:37.413 AM",,,,,,, +\PC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,956089d1-4669-4c2e-a349-36fbe71e1b5b,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\ALEX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f9be79f0-e1de-4873-9e49-b5e06b6d8008,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d561f24d-1719-49e5-9b76-f236e3e7b386,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01a8a6b4-550d-440d-b199-8bab08fa6750,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\LAB,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8e087aa6-5332-4c66-bbf8-85d9873a21c7,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7876 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,967b6159-cc95-4c15-98c7-5ff3a36a2f2d,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14848 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1812_NONE_56B727F399423259\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1812_none_56b727f399423259\TiWorker.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8b3e84f5-16c5-45ce-9be9-0d5984b2969f,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8988 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c2adeb79-f48f-4a7b-8896-bf6027f81609,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15324 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,54dc33a5-8b77-437c-b89d-19e3188acd7c,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7436 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,05f8f1ec-79d3-455d-bc8e-b6641aaf7cb3,"4/16/2021, 9:20:36.009 AM",,,,,,, +\HR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8851f96-8616-428a-9135-028b0712cfd6,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,995d988f-ce69-4a5d-b679-9918f08866c3,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1b555ac-4abc-48fc-ab9e-33a998e1c74d,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bdce845-7c24-4ad7-8708-b8cdd1f31368,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c3dba18-7135-45d2-a3d0-b3bf29f8ff19,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd6ab534-03d9-4e98-872d-070ddd5caa3f,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,710affb1-9f46-4287-9307-259310bc9c62,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,835c168d-9c5f-4567-923e-d97b8430dbb3,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74b8020d-4900-4925-8aba-55672dd54c8b,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94ba0b11-f4f4-40f4-b307-e8657fa575d6,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe5ae92d-fbb8-45a6-bc76-3f5cc81d14ba,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23857b93-32cb-4f48-bfe1-f8d3a885db21,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\WAREHOUSE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd339173-00a6-4df1-bd83-3455f83000bf,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6902c6ec-02bb-4adf-aa8b-3f17b1d0e21c,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fc59a3b-c87b-4f69-83fc-0c5a65692415,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a6cc0bb-91e6-4e94-85a3-43af3b127c88,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,408550d5-1db8-4ffb-aca6-8bf630a53084,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e0a1836-de1c-462d-b709-260d32a48f90,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a95ae133-a595-47b2-8565-edc4d9ed95b0,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b569feb2-90ad-4c65-9509-ffdea7b61411,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b1542a0-62ff-40c0-9033-708fe859618e,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dedb3ce7-3918-4c14-83b3-e93af2637b92,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,38f76748-dd0a-4872-bd24-9e54dd84c3f8,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ef75e1eb-2e1c-4120-b228-525d7bcfc76a,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,91ac615e-b4b1-4662-8d83-cd360500753c,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5dd0ae06-2934-444c-b099-4d0812ac3815,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,724c38d0-9371-4ad1-9b89-dde01d4e1f4d,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c454678e-a979-4c9d-a101-910883f27e5d,"4/16/2021, 9:20:43.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,83b94344-17c1-412c-8e9b-6659a56b3184,"4/16/2021, 9:20:43.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,0c7d8ae9-86dd-4afe-a53d-5683cd490a9b,"4/16/2021, 9:20:43.062 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a3d004f-5939-4298-8cf0-9467cd2bc069,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\user_dist_checkout,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a5e8a57-cde9-49e4-b369-0f462ab8f2f9,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04333491-6a7d-4091-b0a1-f3323a2b52be,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2656a2e-ddb6-4363-a1f7-1ffbfab223ee,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d602bed-6b8c-4584-b6ed-9a8fbfb670f3,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a36ab900-56be-4fe7-af0a-298abdd476c3,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\surfeur tranquille,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab8b98d7-0551-484b-b173-adabd4c31ea3,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95927148-c876-41de-8dd6-37c77fa7e1f5,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63910b4f-48cf-483a-afe5-c265f59c0f40,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d68f8d9-d44c-42d8-ab7f-34e0c5fa5b55,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6621a23-3f69-4b4d-b6ac-12c7a3391c9b,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\mapple,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa105b68-739e-453d-a016-d9e4692f8879,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a80b420c-82f2-465b-90ec-a4932e03bcc6,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cdae376-46c9-4006-9da7-96934edfe730,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04cdcf72-095b-467f-8f8d-35cf1857f688,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9281983c-0268-4a15-8ee5-3374406d56d8,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bc79174-4ce7-42b0-8c7a-a991c93fccf7,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7eaf3db-aaa1-4301-a7f0-841f50a65451,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\libreria,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f54e660c-bf29-48e5-a9fa-ca1a4d50152a,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e36f84e-ab48-49df-965b-297331a5402e,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc8c18d5-3ac6-4973-acbe-c461c95cadc1,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5201eb4-9959-43f4-b5a7-bd66b8e0026a,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a59a0ac8-4259-4e21-9252-c4d7a6fcf8f6,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1b37e1b4-6d09-408a-af5b-6e120aa3a585,"4/16/2021, 9:20:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6336 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e94050c2-8c3a-41bd-b445-19fe3ca7583d,"4/16/2021, 9:20:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,00fdc717-9985-448b-b065-6acc222965bc,"4/16/2021, 9:20:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a397d072-5b01-4e74-8335-4e3c6481e164,"4/16/2021, 9:20:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8d0a8839-a78c-40e2-b3fd-2df8498ce519,"4/16/2021, 9:20:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94928e65-48db-4e24-9ac6-f43b5a8aa223,"4/16/2021, 9:20:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6924 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9ae688e6-1dbf-4734-ade0-226785abaca4,"4/16/2021, 9:20:49.401 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7972 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,46c81206-ce4a-441b-817e-ebe86f00dafb,"4/16/2021, 9:20:49.401 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 328 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,23e05daf-778a-473d-ba17-ce3fa986df35,"4/16/2021, 9:20:49.401 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,33e51ffd-acc0-4049-8fb0-bb030d0ad142,"4/16/2021, 9:20:49.401 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df1323c-b78b-4f95-99cf-7fcadf0adaba,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35dc3d2d-5eda-40e9-a71f-4cfda54aadb9,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16e69587-ea05-4753-85fc-410121d5e51f,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\scanner,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac909b17-00cc-48e4-b2db-e9ac08c6e438,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d3c7bb9-9cf8-48f5-8f0f-efe50e4266cb,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b356eb80-81b7-4fcc-a983-496591193775,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb95067f-1a17-46cc-9c6d-98faaa927f5b,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6b00165-8b17-453f-ad61-aeb0dbdd60ae,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,942e6f43-0c92-4962-a20b-124ad4962319,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04e44d69-1181-4ac1-8ad7-1ae6b73bc66e,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de8dc323-60a7-4e95-927e-04f525303d56,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ftp_user02,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4fda17c-e279-48fc-b095-63731c49cade,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92aef134-7b0a-4ed0-900b-ef9025a8673a,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42fa2add-b350-4dbe-94a7-c08522aab990,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d02ec0-ef8e-4d47-9e01-9f1ddb014d60,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b913d099-8c80-4007-9bda-35abc6dfd7dc,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82288173-bb1a-4993-8775-adb3e8bf64db,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af51d3a0-9502-42a3-98dd-5ebe66f20b94,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75287b60-9575-4768-8825-69eec553f4c1,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\017,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec71e65-c29d-43f9-b360-f4fd01b9338d,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,722b7295-b6f0-4e01-ae0c-9496fce33795,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c1bc47-79d9-4257-814f-a2c276856d78,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90b1b9a6-7f69-4744-bee3-014693f06869,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f164056a-ebe1-476d-930f-35fb06ad55b2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f2f091e-564f-4510-9ec9-f4572daa5c60,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac10cf77-7f81-4c05-bddc-de2f0ef5d1b2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d92c237f-8e3d-47c0-ad20-b6144942900d,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa224fa3-fb8f-4a73-92ed-6dd1f02d86b7,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\titech,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62da589a-1023-4a50-b129-56ce0fd96960,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d69506-f07c-42bf-9330-277734952768,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4933ed83-81e2-4019-a84d-e102edbeb933,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c176732e-9c41-4340-9645-c6b69b351c77,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a493c44-e711-4e7e-82e9-5bfb9f39c5eb,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c1721a1-6209-45df-8580-f2d74960b064,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\GUEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55d702f6-5c72-4588-a54d-e50efaf22278,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\pos2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bc3a1da-f230-4dd1-95d2-cabd132a5c08,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c7d861-46d3-4ef5-a05b-5e97e8d99b27,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,010d136f-a5f4-4506-a4b8-4c8b5898f245,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c384da2-d53b-4b4a-bee6-3e6e7478ad4d,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9f277e0-7c59-4c98-93c1-c78cd504367d,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b2d02b2-0173-4654-a18c-a06d06ae28cf,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ftp,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23e94e46-2daa-4375-b32d-3fde1c0672c4,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4cf106-a071-4001-baea-817beaac93f2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061d1066-5fd3-4c7b-9cb9-d65bb2844ab6,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba29f935-9bdb-4ea0-8767-c42e2c0f2e43,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26eca5eb-09ff-4154-9f99-b6c7a27dd672,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69bae950-22c5-4b4c-9d39-10b7b4513452,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b8f7e5-bb7a-4f2b-99d9-da2af74698c2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea45ce33-e6fb-480e-8ed2-0a82553bc3d6,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7604a436-2cad-4285-8a5f-5d55e8ffd25f,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a2e606-ae30-484f-9261-a762e8f62277,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3efed7cd-6810-43f1-b91c-b89e832cec87,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e62686ba-b59c-4d26-a412-1b0259edf83a,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cbf980f-6dc9-497a-8c43-ec10648ff9a4,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68aa083f-aa56-450b-b64f-a3a53454c1c7,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eac2ba8a-cf3c-483d-82b4-ea5399f66b30,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1838af9-95fa-45e3-ac74-d0d52a78cb22,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcc9399c-cf8c-430b-9190-58eba56676b4,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70ccece0-7000-4f91-a74f-c984b790b892,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,666563e1-c5e9-43eb-97dc-3becc84286e8,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae8e08d8-39ae-4501-9f24-06aacd3495d6,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef980b41-04b4-4ec8-8e65-e81ca1e6b1fc,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93024d87-fd93-4e97-abca-f7fcc083da14,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b5f99a8-4397-47cf-9ee4-4132097843c6,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2797d2f9-043a-4842-a527-e7c8d764c7cb,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da213165-5403-4a34-a104-77af181e751a,"4/16/2021, 9:21:05.722 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3871880d-aeed-4c47-8221-924f4b67ab57,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d551d141-c36b-4835-a8a7-e9a06e340443,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea6c7cc9-0723-478f-ba05-2015879bff97,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67f916e6-563e-4299-80bf-16078557a3a4,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbe57778-16b2-45e1-9942-69f3861cdeba,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb32849e-6252-4b9f-a021-2b636ec82322,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb332af-f069-4ce2-b15a-45faabe13efa,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a4ce7d4-6c06-449c-b2b8-38df39b44fc6,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,727ad94f-9f60-4bae-b163-e58ca7864d47,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\magda,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3130b976-3bba-46fd-a7ea-678d6f4b0fd1,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c99a71d-b042-4c77-a0bd-2404c323c10f,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5209ec00-53ca-479b-a246-873fee02e943,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b01b44a6-b8ff-436b-91ac-fc253b81f88c,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\training,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b61aaf-b3cd-4cbe-b064-04b99b8a1b06,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bb2d2fa-9266-420b-9be5-2fb42f824b2a,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc4cd009-9a11-47a4-8cae-d8492cc6e5a2,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c61563f4-4f7e-46d0-9904-bae3012d2336,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5080aa34-c325-4576-a5c0-e6fbd41872dc,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2be95df-df8c-4da6-93cc-0297afebf9b4,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c013af1-68b9-456b-be7e-c991b6b8c2f8,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46bef2db-588f-4ee4-9505-6511f3222f8c,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\info,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2d499d5-4765-4f27-92aa-660cd037c318,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ee693d6-ec82-4498-b1b4-a0786d26d536,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9009b6e-d038-47ab-b8c8-a19f9856b7b4,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,916c5fd4-4417-4168-98f2-87596e33b7e5,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ae1936-0912-4818-a974-88debe60ca57,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\test,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48b29969-8498-49a9-a308-1f9b816aca41,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64171b5f-a60f-48ad-836d-06f02c1e6ca3,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30f30c4f-80c6-48b4-87e1-c3bc3f486c57,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8f6e94-12df-4f06-bb18-abb478f1c631,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6eed97f-225d-4cd6-8960-9208091efdd3,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a11cf77-a680-440d-b2cd-ee89b6f1034a,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\interno,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d673d1-5ed8-4cc5-b38a-8fc13b102663,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8832e321-53a3-4136-8b6b-209a400432ef,"4/16/2021, 9:21:09.892 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8aff2039-c816-4b64-a8ea-d6b18b436bae,"4/16/2021, 9:21:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6728 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ee97c60b-be9a-4ad3-923d-842aeaec1fb2,"4/16/2021, 9:21:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5476 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a4e4a24c-cce2-4114-8914-99a543986db4,"4/16/2021, 9:21:09.892 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,22f93a77-bfd8-4b42-b1c9-a0dc69c2f9e9,"4/16/2021, 9:21:09.892 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14629c22-3f4c-4b16-aa85-43ecae16a8c8,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76f70f4f-15f5-4bb8-8ab3-035315c986a8,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,977d1828-8859-4308-b1e3-331bfd912f3b,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21c3bfc9-52bb-424c-863f-6fb7f4788651,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14124cf2-0173-415f-8393-b04037d1a57f,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d19c0e0-4f44-4924-b276-c5262f8de5a6,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4094f2a-fe21-4daa-a7d9-833425da1357,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\compta,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3625ec44-e047-42ca-9ee7-9d776af18a7d,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a5b4f8d-b96d-41b7-854a-f9e8f3ad2782,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,720e027a-9641-4d8f-94dc-0becfd517ee7,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7816b122-617a-4bfe-a74e-9caea99e20ac,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdc8f389-675f-4b2f-bb1d-6c10dd24a418,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b833e8-209c-44e8-a239-68dc7d660c26,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a0f07a5-82d6-42a1-a02c-27c33695e0bd,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\RMEDINA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d60ba2e-97ed-47ce-8e16-91c94bf35453,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919a937f-5d3c-4e26-8360-d591fa8cf75e,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d93780-9c37-4295-a74b-1cafffdce09c,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\RMEDINA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7800512-a4cf-49b6-ba75-9a2326bf9018,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e5f58f8-7fae-42c6-8b3a-fe37ce1e29ee,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,217c026b-c576-499e-a048-f5661d753e9f,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f516b4b5-8590-4c3c-88b4-5d40442fd8c0,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be467c31-56f7-4318-9282-bd810d5e7b78,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da59950a-ede6-43a8-8746-d39fb22e08a1,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf648840-3220-4a05-8c33-4991d1ba6700,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc33013f-412a-499a-aba2-880cb15b99a7,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +NT AUTHORITY\NETWORK SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 5360 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 4791D7CD9D154D3F2C59B47259D2689FA47FBFB1E9FF7A41A5F03B3B66EC67D3 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1757 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8ba6244a-b368-4293-a500-4f35ab3d028e,"4/16/2021, 9:21:15.004 AM",,,,,,, +\TESTUSER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bebdfdd-a2a5-44d7-b752-7529aa7e90b0,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2c8bce0b-3952-4ee0-9b01-adc2f7027d59,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\CONTABILIDAD,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d5d1ca59-f991-4b80-90ee-8a6cf49ba2dc,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\SHYANNE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4bfa2b65-a986-4735-ae3f-710677069f9a,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a7463114-677f-42cb-a33b-60d277c847a5,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a261e66-d4af-4d32-8296-cbccc8c7b606,"4/16/2021, 9:21:15.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,643f009b-4b5b-4aa4-8534-17417269d280,"4/16/2021, 9:21:15.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1efc7b6-0fed-4830-b1a8-0d4933e83d5e,"4/16/2021, 9:21:15.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,104cd826-a502-4060-9fef-cfe13ef4d399,"4/16/2021, 9:21:15.412 AM",,,,,,, +\AUDITOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,abf41d56-b461-4768-a98c-cc84d1362f27,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\ADMIN2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,034fde91-d973-4932-8e87-fd7ac13bb936,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9992e77-8d2a-4491-800e-cd4b87462cc2,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63a638b8-b5d9-4864-a40a-4dea5c9acdbc,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d503338f-a395-4718-9296-f3923e029fed,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd862732-e4f8-4a10-a819-b4877afb4e5e,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e4249ce-a044-4fe8-94b9-0d92b7043ca5,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed5d3a33-5c87-44af-bd67-7b87f7dc2d44,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb062f18-eaf4-4fb3-9ff7-de99dd1dd0e7,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9276a015-657a-4b64-a5cb-58b5df0559df,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39507f01-f278-4c77-9497-2d624a5b0ce8,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95750416-13df-4292-8af8-d346a0d2aa16,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6d60635-997b-48b7-8590-1177c85e8b9a,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eda4ef11-eefb-4f15-bb3d-f98ef4433e5f,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65eabad5-a221-403e-8bca-84bd622dfd18,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b46bdf8f-7183-4d85-8436-1527e52d24f5,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d747dc11-736c-4f73-ad90-0fc704d1aac1,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cc187de-32a3-4249-a24e-4ff3e432d804,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,771001d9-6257-4f0d-ae48-0394cdcc1dca,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b417d145-5639-4dca-952f-09da0c7ab249,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d000f612-5465-4d89-9035-4f8ff733a01c,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36299dff-16c9-4eb0-a3d3-e708f2016ef0,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0cfd663-6aaa-4369-9ac3-faf518497131,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,99eda277-72b8-4d9c-8404-99d0e33bdd3a,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7b43fa14-ea78-4012-bf85-52b3015c9fd6,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,fc773232-b4f8-4c34-b0b6-5741661697e4,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a43618bc-f310-475e-b2ff-b9f1f5575d36,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,85b77aa7-5966-42d0-9918-21cf2e0ad44a,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ad0f86bd-d326-44ee-83c4-d58f57cf1a56,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fe154437-7a5d-40ab-b252-ef2c3ec89282,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4be83a54-1398-4a73-b82f-62f1f30b19c2,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f685535-197b-4760-8a08-6aebccc271ac,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4fb455a-02d5-49d9-a14e-3206a2078bca,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ea22b970-2856-441c-8384-68976485ea6f,"4/16/2021, 9:21:16.064 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3876e7f2-8be1-47b3-92f8-e4150b8c661a,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e89a14d-0495-4f7e-9bb5-8cc2db63f139,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77b66e4e-7015-4861-87c6-3a9bb614150c,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,628d3f3b-df97-4c0f-a2e1-f8218580d06b,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12e9accd-f4b4-485f-ac5e-8f1eeb33cf29,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,195d5b13-dc7c-4d72-9297-20027a0c30b6,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa247f39-3a51-4728-8f98-241d8c9d846b,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76122274-62bd-484c-a66a-5f8d637f7648,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5624a83-ffa7-46b8-b6fc-2559979da377,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8deb09f-1fa5-4835-b7b0-6acff61508dd,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e92cac-000b-4170-a98b-8c7019331290,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa674e3a-c233-4ab9-b02e-fe3e950ba1fc,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b58c2dd-527b-41ec-9d83-658d55e6b94e,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a3e48ab-13a9-4d68-82f8-631af7164c1f,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,861bba14-17e4-4869-b64c-efd614f1dd0e,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd861ce9-889d-49d4-82de-b6d32a228a04,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c47f53e0-f33f-4c5d-b35b-c2c0b6e5ec54,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1df79d1-c378-418e-8147-9f5e6b90aafe,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6822e90-faf5-4c1c-97ad-a27315124801,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a14d8558-c893-490c-9a2c-add615028e47,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,826e0287-8402-4da9-958e-844f4a3c06ba,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f619b53-0d1c-42d7-9125-8058c7584821,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e445e79f-a66e-4484-8b12-82c039175be7,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,260d0769-26a4-4673-b53e-f3d418eeb04f,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7d5b14b-867b-4674-be47-2cd375123608,"4/16/2021, 9:21:24.137 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a975299c-8b40-4540-bb18-6998a041754a,"4/16/2021, 9:21:24.137 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13fca1f4-b77a-4c40-9cf0-8ee8de3dc930,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd3d4f10-76c0-46a0-88c5-d4ce7c379b19,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8248 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,885e9255-077c-424a-a3bb-4fe01229518f,"4/16/2021, 9:21:24.137 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bc373ae-fc32-4096-acd7-0d4bb43cd2cd,"4/16/2021, 9:21:24.137 AM",,,,,,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41538b8-7961-42a1-aaaf-fa19e264cf3b,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc6a8337-f232-4958-9847-8cd4e9e98876,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a6542d5-affc-452f-be63-0b1521e122b0,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c0b363d-264a-4b04-ab18-eede2328a17d,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f513a325-bdc1-4be1-ab8e-b649a9288bf5,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e750861-adac-475d-a7bc-b1ec6a0c6eb4,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df1e698d-6b1d-4634-848d-85a009c23a02,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d10b4a48-0c37-4d32-8aba-ad1fdfd7ce73,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b5c6d2a-72fc-4463-98d8-66f24b745e28,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a676bb7a-ac04-4106-8b85-ffffc34da9e0,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66958fb8-00c4-47aa-befe-dba4113ac28d,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4394605-b0f3-4bc4-a36b-03e4b970cbb4,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55b862a8-88e0-426e-adad-810a83375542,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f53a673-9669-49b4-9213-c53a9264980a,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95027de3-4709-4012-b095-8f19b44e71fc,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc145e5a-fe5f-4a46-8a6a-951b847365f7,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,377b1b01-2526-44a8-a66c-566da3d6e89b,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dd95ef4-3791-4a8b-8ec4-4b0df630ece1,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,809056ef-8238-4917-8afe-f1b354caa1a9,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\OPERADOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edd6e1bc-5e7f-42ab-9180-8df2203428f3,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41fb7254-70fe-43a7-beb7-3f8b27428cab,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc7f1ec8-5599-4359-8627-c6c2228e178e,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31b0e05a-d29d-4401-be47-cc03bb67fbaa,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,718dfcfd-eec6-47cf-bad1-ba7ede7f3039,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e41b719-bd89-4132-8609-7c956860978a,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc6222ca-6d2e-44c4-9fcc-1b0383231d3f,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9b42272-acfe-4710-8b3f-2b0c67e05969,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20a8aabe-c1e0-4395-ae16-f8e03f1f3fb0,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4c502cf-2705-498a-8540-b3b6bc84df1f,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76be2298-f6f8-48fd-846e-4a62e9d3816c,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04e9753e-2a69-4517-a390-a3bd8c987c10,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ba1415e-597c-4fc1-bf9a-4bf131abd61a,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e13d33d6-dbe6-4d0c-9d05-c92e31f030f5,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed26f0df-6ac6-4c20-80a5-a7453c17c385,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7870f3df-704c-4ee3-a951-9701d5e21560,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75b0de30-553f-4303-b7dc-863f58d16ce0,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74fd5868-e5f7-4e2b-afc7-ac41cfae3cc1,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,597bba72-772a-4e63-af0e-a6fa3399be77,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fb7dcb6-5929-4ee0-8b9c-e87b5d8c4c6a,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9c61ae0-5811-453e-a102-b1998d792b0e,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2c584afa-9446-4ac9-b059-01838b792a93,"4/16/2021, 9:21:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,906113a8-f8d6-4487-b449-b0975d818674,"4/16/2021, 9:21:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9624 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d324bde-f4e2-41d0-8e88-0eeec8e749a5,"4/16/2021, 9:21:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,28b6a73b-9a76-41e2-bb90-77d38437abd3,"4/16/2021, 9:21:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c515cb78-e048-4640-97e5-c0357e7411b2,"4/16/2021, 9:21:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3280 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a30d5521-a3db-4b0a-b633-af931c2c2e3a,"4/16/2021, 9:21:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3156 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d2f39261-0394-4391-b176-9c66f113e376,"4/16/2021, 9:21:26.629 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e607f060-efc2-4164-a212-b07ea3b7b597,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1102fe4-87c6-4dfb-aef9-71870b6973ae,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f4feb1a-b8fc-4bd8-b8a4-f8cbc8a3fd09,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c93e4fe-e442-4add-9555-e171fb0262ad,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a0d63c4-54ff-403e-9b77-e1fab721017e,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8c3d1f7-443c-4632-92da-be335be116f0,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f7a9b61-aa40-408b-8527-0f7430458a46,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fee5a8a5-63bb-4aa3-85ea-1280420c0049,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535c2de6-67fc-4865-898d-65c90de95f6b,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47244f57-6d7d-4c6a-b229-d2ad4db4cd8a,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd43f6ec-0ef2-4b29-9752-2d746781a1ab,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,028e05f9-4a18-413e-a618-1a5913850cb0,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df64791e-3951-4c78-b65d-d68eae0d4096,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,881a39d3-ae12-4a66-9d0f-15599a034b89,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9bebb15-e5f0-4af2-8594-913fc4e1fc94,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d55e7d4-e2fc-4320-a413-f30c72ec9180,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40e7ab32-e638-49fb-8d92-7be54a807599,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4292272d-0a65-45a2-b0bd-beb1bd2d5cd4,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,0809e298-1ad0-4ed7-96ae-95bed0ca1939,"4/16/2021, 9:21:33.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cb8a0cd-739d-401c-a42b-3fac624a1f23,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c050ba9-a526-4629-b664-94e1f97fa148,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdee8e8e-d1d5-4b69-bd7a-686a7788e6f3,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ca6422-5d0d-4f7a-b982-9ebe2ba3d7e3,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea48a2d-8ed4-4469-91f5-0e72a7d117af,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cc36f21-3258-4c30-953d-77e2170b6b87,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\TEMPADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a217748-729c-4276-a7c0-e08a39423d25,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f73ea00f-8216-4c92-afc0-eb82bf53c6ce,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13d3a1d2-f6ba-4740-822f-fedb0347e52a,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a0fd5e2-4597-48fe-8792-c32c4f84c921,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d7e004f-1784-49e7-a57b-c6dfc63400b7,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0884615b-d477-4342-9597-0a56d6bb303a,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f8afb7b-b47a-4fd3-99c8-1379d11dea80,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14a05b58-6880-4c62-b32e-30f1bd47f1d4,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0df40339-1870-45ba-991a-e9dff3741729,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dc807c8-5628-4a19-b5f6-9f25797a27b2,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e018ec6-5d64-4365-adbc-ef0ca7811fe9,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a54edf26-5d1c-4d35-b6a0-55eb82b8098b,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dd54d43-0f3d-4dc7-8c76-711cd32aacc7,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca530e1c-995f-4f04-bad5-5222298ec0c1,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0836e7dd-6dff-4d86-98cc-9eea3216f3ec,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef1c7d32-b8c3-4804-be9e-879def5acbe8,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c1c390c-1c0d-4801-bed8-e04a84a33c1f,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ad4a36c-8c1a-404e-aba4-6bf0230c3883,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ebdc4be-85c6-4e9e-a7fa-dafbfacb5a10,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e59274b0-175b-4766-9049-199186500f36,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24d3215c-fb46-457b-b83e-72d495f228ab,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8c8fed1-8801-4afd-97f3-571235ef008e,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c18c9304-31d2-4c77-b146-234d7703f493,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,178ad0b9-16b5-4b3e-8b2a-329218b1fd66,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115ec2f1-c4ca-4726-8cbf-6891583e6a4b,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c7b6f23-2329-4c30-9252-6b1f8ddb7c00,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57bba8cd-e036-4459-9e2d-3f7b697a3aa7,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5e8aec1-e885-4839-94cf-5fda6090c0ba,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,465c3908-ccf2-40cd-8b14-a0000c3e0243,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68f07ca5-d3b4-4804-a62d-06938e9ef909,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0960600d-8700-4268-82e8-3a6e0320bbb4,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df3b9a54-e3d3-4c02-888f-92c1117ffabe,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f65ed879-6667-4747-bcad-345c207208e7,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05f5d409-64b1-4141-920c-920372f46537,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d722673-199b-4f1e-9056-ab254822c48c,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df7a810-ca10-4494-b580-81d9e65c84fa,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7c8f1a1-60c0-4137-bf03-e761ece10d3d,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46d90566-1e3f-40a3-83be-cc22f7ab5ac2,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e5fc17-3fda-41c3-af1d-d382e684c87c,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061b43cd-7cdc-4fd7-90c9-31369ce23840,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34e46bd-c2a5-4c4c-851d-cb90e3a89709,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c22e9765-7274-45aa-9898-cf690ae755bd,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a263da80-ce88-481f-af5c-5985b5de7375,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b160b048-16bc-49d3-8700-81b1d0bbd0b8,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,528fa468-3e97-4bdf-918d-13b1baf5a5db,"4/16/2021, 9:21:45.871 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a038367b-b343-4cf5-8144-42617ddadbe2,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6de7330b-55a0-4cf9-a6b5-7dea41a19bcd,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2356 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6389b59f-6ab2-4220-9ed5-219469bc51ab,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6860 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,23fd1b67-61e8-45e8-96ad-2b9fae2e5f5e,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,63d9eaa5-5839-44ce-a068-317e0af44aa9,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,266deefa-8a8a-4355-9bf7-7fb90e0fbc83,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2844 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e194b019-225c-4e76-b2e0-74aff67fb033,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6524 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c96f8656-2cfe-4838-b93c-28f54cbdfb90,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c0284608-47d0-48a8-ba29-ae3b102dffbc,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5528 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,34509f26-5bdf-4c97-945f-c38e85eef831,"4/16/2021, 9:21:46.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dce00246-0936-4cf2-a5ee-6475f214a916,"4/16/2021, 9:21:46.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,18650a45-3152-4dce-b599-c69d68a3008e,"4/16/2021, 9:21:46.729 AM",,,,,,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c6e8753-a8de-46c3-a024-4f049a98922c,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19862e00-edf4-41d1-94f7-aebbaae2f3e5,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\POSTMASTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099f12a8-3e86-4b5e-b10a-894d3f20044f,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51a96735-ad3c-46d2-922b-689e5448a3ae,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a7e2ebf-42b7-454d-8662-f7715579eacc,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b4ea380-d85e-4cfa-8615-2c09c0eabfe6,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3b5433e-1f96-454e-8cf2-c098532213ee,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdbe6821-68ae-4ad9-a154-229520669c03,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eda74e6f-4d0f-40e9-a5b3-52f8fb2c299d,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2c637b1-0b9f-4b05-8450-507aa4ede5d8,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c95b1af1-00dc-4e25-835a-dc7f0ae590a7,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,438d412e-4f05-4c64-9945-b87c777c2538,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,341eac01-b491-4e82-9bc0-789a101297ad,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35611007-6caa-404a-b3ab-02bacc36befe,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04d3fd2d-c7c4-4d96-a6e0-20ed1119d5b1,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58a7abfc-d4c5-483d-9143-8b436c12a38d,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,181423d7-5097-4059-8b6a-b219a503d729,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed1f0639-85c4-4d7e-a0d2-c6493646ae72,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26bb13ed-9586-48e7-8da7-3702fe4e71a7,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,260fb095-b66c-44a2-a3e3-6e250c7783e0,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce414b2b-160f-45f7-9b1b-6984af4f672f,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99c045bc-8e31-4925-8bda-abe5a493c270,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0e72f92-0462-4a4e-9deb-42d2cdae611c,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62c17a35-bded-484b-b6cf-85c0201db9c6,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3321cfeb-8efd-46fb-a5b8-2c874af01dee,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,713de71a-3d27-4d38-bab2-4dd44cc16cdc,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,226e9af9-2aaf-4737-b094-63c8e0765133,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f1c5c0b-ccb2-4e73-80a8-d77c87d72166,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f4ec71a-cb2c-4410-8fba-64b03e29f504,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9f8727c-2d1b-478d-b5ef-1b8445228d3a,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23fc76c8-3c1c-472c-9808-5d78cd6d5db1,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56f4289d-90f7-471c-8e77-1da1a1c58d8c,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d864551-d56f-4f05-9408-78658dc2656c,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,999f3ada-fc0a-421f-8c85-ab99fae23c39,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1060eda8-6171-4a1b-ba00-431723b46d72,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7925cee4-0965-4765-8c7b-e231dc541ad2,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,313b1910-5921-4603-88d3-31565d347395,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd9dd306-e7b2-4c36-a55a-42b809cb5db7,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e38e575-9d42-4db3-8725-c312c0268c0f,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cc8e944-72a6-46d0-a5a9-e40f671448ee,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ORREN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d41001-fea4-43c9-8509-70472aa27a05,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c379cc56-92b4-4444-ade8-e72ec27f68f1,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02d4df3-4665-400a-b44c-54c2d7fd437a,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c44ba945-a19d-484e-9c64-ec4cbd0723c3,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b6bf781-cedf-4d89-9c4b-3eb8c85a5065,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,271abf83-7391-4eae-80fc-f4d3702b6d1a,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93e70293-f895-4692-80c9-4f36f32e1422,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddf3c06-4427-4f2f-89e7-8bf42f3c988d,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10008 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,000a5ffd-1f55-4d61-867f-208de95f7c2c,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c5922eec-ecc5-4830-bba3-e6502514008e,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11956 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0b5b46ab-b736-40e1-b821-33efc3628f1c,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11324 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4154a51f-a2c5-41d8-9709-e3aec2e9d580,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5788 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,636bf2b5-15a3-4920-b8c5-f46ae7367ea4,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5164 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e5801e70-2aa2-4be5-b85b-1ade4c91aa2c,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5792 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c9b37e5c-2e59-4380-9556-da8cdd117243,"4/16/2021, 9:21:49.368 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fc2bab3e-07f8-4214-aff4-4580049affa3,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2cf410ee-1d38-4d3f-9d4c-771d3b2121df,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9584c00a-c910-41d6-b48a-0e9ef24e27a2,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a66db103-0df2-4bde-971f-dde1f425a988,"4/16/2021, 9:21:53.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a8ce6dec-6747-4c95-a51a-ff78884a80c9,"4/16/2021, 9:21:53.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,52643c31-2609-4ca4-ba0e-89a08ff103b4,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5f8710ef-7aca-4673-bcfa-3f228de22948,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80919a94-9fc2-4747-aed8-0411cd587f9a,"4/16/2021, 9:21:53.062 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,dbc09a25-4e02-4cce-baae-3a50fa19d52d,"4/16/2021, 9:21:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,feda3d4c-ea78-4ede-b622-be93df3e8b0e,"4/16/2021, 9:21:57.007 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85a22bd8-adc5-4776-ab27-d77e9e392e76,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,588ebf9a-f4ed-4f66-9847-03c7afa80a8b,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,08c7fc7e-6ed3-4986-8cf3-4c781249f9f1,"4/16/2021, 9:21:55.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa34f912-60be-48d4-8e29-08e79983de3f,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcee8d68-aeef-4c03-aff8-8c403da57d7c,"4/16/2021, 9:21:55.136 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62dd9c36-fc38-4b78-97e3-02263f6c835a,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef24820-6ee3-4451-a37b-ff872aaf1e3f,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2248 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 130734F7BC6F667B8260746B96229494E3C8DCFA059F50EDA667F1C4BC6DC0B6 + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.137.99 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,855ef573-05cd-45e1-93be-a740552fc904,"4/16/2021, 9:21:55.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6460 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a7dfb05-aea2-46de-85f7-78016f9e0f33,"4/16/2021, 9:21:55.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3c4ee0a-47cc-4e49-81df-0e01e4cd0f2c,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ce274c4-49cb-4ac9-9f5b-7dd0bef3b022,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac463a7c-2201-4c3f-9d3d-85bfe5bb148a,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa6626d4-0a72-4c32-a77d-6faa542a50cf,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc1a5ec8-11bd-400a-8e63-630c0131f19f,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da91e213-4e7c-4684-af0f-afe60dc841b8,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e579ca-8854-48df-b456-0ddc0b1c5082,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eff1ab2-473b-4c54-ab2b-85e9f3838108,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdd7b567-e852-4ae5-83ea-6e202b67bcb0,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,861d009a-516a-48e7-a9c9-74d21f1ba3d5,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb40a534-42be-4d1f-bcfb-52f1b52b7d8e,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b45e1518-83cf-47e6-859e-03abf684a9b7,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d29aea96-1129-44cb-b9de-8009b5438570,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24e985cd-5848-4238-989a-0db5040d8896,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39ee43e9-4a80-4672-825a-209b3fa93f60,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d55fdb94-30b5-4d0a-bc22-644ea13d086c,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4734ca-1757-4f02-98e2-c3da00016626,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52906d1d-eab0-4a1f-b9c8-967062100d70,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,276c9474-123e-4400-8f31-eb7c3496d27e,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a091c919-d244-474f-be2f-0e65ec4af9af,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\ERIC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffd32054-689d-4f6f-a151-f528c6f713f9,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7f5ca8e-d251-44e4-8a7a-b3d85837ff0b,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07fe2a06-8038-4afd-a305-029e2c6d7a16,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\CANON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed397fbd-9adc-4abf-9cff-9d86ccd236bb,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c315e46c-7a54-4b07-bd89-c8b64f7770d8,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80035baf-613c-4b3c-948b-cc4b03f17572,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f68d9227-e4f8-49df-bb71-d3a61e64bcae,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e11f051-65d4-4ca1-8d8d-d5dafbc7be58,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94b7d942-4311-48e9-9037-dba899479e2f,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34f9d4fb-456e-43c4-9610-439f30a12eed,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e89c2ae9-c1c6-4b6a-8b61-c79a8c872e53,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d139467-73a2-4091-9e15-3aab22d385e8,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46d6e024-5ed8-4946-9be0-c845d02ee788,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6093299a-16a0-4ba1-af5a-edecb98cd894,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9815895-6e77-4de4-8d33-bcbb1045abb2,"4/16/2021, 9:21:56.729 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2a5d8d3-bd00-4e8b-b384-d0aa61f1e267,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6da936e8-aee5-4e6d-8473-b032adcbe667,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbd57ece-ef6c-4412-87a7-eaf9fb8479cb,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,631635d2-819e-4ec5-9727-aae506918bd7,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efe24b63-9b00-4027-92d9-02679df8c5fb,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5642d4af-67d5-4551-98e1-3d2acd98cb3c,"4/16/2021, 9:22:05.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10632 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3a6e80a8-9ed9-41e8-81f6-44de511579b2,"4/16/2021, 9:22:05.623 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,5a5ba5c8-f751-4b43-8006-73a2cbfca053,"4/16/2021, 9:22:05.623 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65c29b8b-4c97-4e2e-953e-4e56ce4344eb,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6761e7ab-5f07-4ab6-b956-7058e5b66ecf,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c553ceda-5908-44bc-be3d-5b0b668b97fc,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1828015-a0e7-44fc-9ffc-7c92c553a417,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02a528c-0df2-4dab-83e3-93aaf99f804a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4d38743-de91-4f6f-b653-08e7fb36adb6,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11cf02b7-ec54-4ebc-8171-3c2d0a7a50db,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6eae477-1a68-4f85-9541-b1d3bd2437cf,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d48bcce-e0f8-4290-94eb-2ded5b45e90e,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0470007-dfb8-43a6-8312-b11847a46f63,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1bfa556-a63e-4e27-a520-be97ca81ff3a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8f2c357-c6fb-46d9-a08b-523c96f8541a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a628b37-5bef-410e-8e12-79bdb9f2094a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ca49a88-4652-40dd-95b0-14a5a0a28a0c,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e90ff6b2-0ca0-47af-a438-ca70c131e6ad,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c55f2c47-8f3d-4641-b11b-153da1a33bca,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c9ec26-05f1-464b-8728-c0a451103b47,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a1d2923-0e06-4ad7-a5f3-de02f0a6eb3c,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5cb6af3-db18-4a8c-a1c7-0865b1101356,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9537c39-df68-47ec-b6d6-5150c58b1736,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9742def2-c48e-48ee-9250-2440e5aa4c92,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9eb7886-9d41-4aac-8b93-88699311b499,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2157421-61bd-42b9-ae91-541fd485646a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f7b188c-b089-463c-923f-e2a0d2364d0d,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6816cab0-a339-43b6-be4f-67fcfd682c57,"4/16/2021, 9:22:09.895 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ab1891ca-5f64-4f86-b9b0-278ed42fffb9,"4/16/2021, 9:22:09.895 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6972 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b0f0ed5d-bc34-49cc-b8a3-51284bea435a,"4/16/2021, 9:22:09.895 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4552 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c0727bd6-b881-4b83-874a-a49d36903bdf,"4/16/2021, 9:22:09.895 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,72db455c-618c-4d04-9e07-0faa93fda40f,"4/16/2021, 9:22:09.895 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f19befb3-737a-4b45-81e7-ff8e2a3f1fdc,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e877092-efe8-4476-a3d6-41764541741d,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9e87a20-7006-43ab-8fc2-76c0f39c9d99,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aadb5ff-1857-4759-8d21-8da0b3b17b22,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\LAURA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f474892a-1702-4e07-94a6-a6af320e9811,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f551620c-f2ea-4bdd-b622-a1410bb4c086,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0680e9be-dc9a-4480-8b27-87d0c948b9b4,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b4e3eec-1825-461d-96a1-461098f6f1b3,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15eca3cf-daf3-41ce-bbb0-7b545c2d1018,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2cca0c25-b98b-499d-a953-3b9d8a11bbe8,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f29ddcc-8b4d-4ad9-b511-fc1bbf08eb06,"4/16/2021, 9:22:06.750 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7aa4173c-eecc-4998-8b5c-e6b7a4dc93f0,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5410565-8642-4802-898e-73a9b77f0876,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d39557b-ab3a-4b23-a4f9-dc0e79dec1c9,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9886d2b5-6f23-47bd-aa6c-36ff86215072,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f12ebf85-703a-418a-ae6c-8b7df196822d,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5342eef-95e6-4822-9736-bd821d6e37a1,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05bcdc64-bea0-45b0-916a-f1b7e64c7e08,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,315b7d8a-7a52-422e-ad36-c44401eb68b1,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7badc8b5-a04a-4205-948c-26af5012e025,"4/16/2021, 9:22:06.750 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,befae6a7-31ce-4b0d-a29b-2624c463f5b0,"4/16/2021, 9:22:06.750 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f407e0e-445d-46b2-aa7d-49c0032ac0cc,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,031e4f38-c445-466e-b7a4-5b6c9e20b79b,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07d54854-7dd4-4971-b6cb-ef35fb69ac63,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d17e399-fa98-4176-bdfe-7cbc72bf90a4,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c001176-3bd4-491d-919b-c6eb9def9f2e,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4fd5787-f744-4359-92a7-237d3da75757,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f91e04c7-5a92-4140-bc1f-65dd0f881bee,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34ec202c-7ca5-4ca2-babe-f09181a74574,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8146b9b-7623-4a05-b5bc-4d0541c590a0,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6814d7b8-ba56-48bb-a54a-7f0b7b8c21cf,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d198e432-5fe5-45f9-b41f-12c616058de7,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09d65b12-8877-4cf8-9aa1-3c9c062b48d6,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edef1cda-36bf-44e7-b3a3-23c544e9eab0,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2efad2c-8c42-4573-8942-6b948963003a,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e66e203-d165-4784-8127-ca488b05a7d4,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cbde62e-904d-4fce-a802-831a28eb16a1,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb796196-b1ce-4cbb-b531-b5f8543e072c,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0603e46c-f09e-4bdc-b8b1-8332cc687f93,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c531e88-4641-4105-9587-1eab4e478c07,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11811d4-4248-4a39-a2de-c476f7402ee3,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c003f39-84df-4b51-8b5d-50cc414378d0,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,308b5fb4-f430-4cc1-ac09-0f7a97568f04,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53de9e9e-611e-47ec-bdb4-401b28ea4d01,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b0ae986-11d9-4bfc-9cb3-d2f139326f96,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2213de3-46c5-4f06-b2f2-301ef07323cb,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3580a23e-da40-4a0e-adea-61d96c04fdf8,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b7bb0819-5d27-4a8e-9084-8706c4e3144e,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1632 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0c3704d6-6f23-4146-a0f7-925b26408b95,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10688 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3ac5e276-380d-4698-bb1a-b00b7a02b8c5,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c781d425-cacb-4d32-9ac1-c0e0aa03c939,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10320 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c4f6731b-3eb4-4285-9573-6dc3da7c0014,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8800 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,203cc3d3-b439-44b5-a23b-56a00937280c,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e7f63d8f-e844-47a7-9e58-fc8e214d5955,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,60b15b46-2f9d-478f-bc00-f3dd6a384f80,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,62c15807-82ae-43b2-be99-7c33d9d212d4,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,42132bef-f590-48ca-9268-56257bb4a813,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,86f4e4f2-d9d2-4151-8e06-c43c406625aa,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee9360a8-af39-487b-9a17-2733ee5df208,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c238a82f-af7a-4b6a-a4b8-c5e6161578fe,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b1cd5045-455a-4d8c-a90e-8f03c5350d9b,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ac7ac16-1a3f-4de1-8570-adb455ccd7d7,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,02de14d1-4829-4d42-b99c-358f60b3a48d,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0e6d52e-540e-40ca-b6d5-60c76bb16009,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a127361-2d82-4188-8be7-bddbf01804ba,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e2bf284-edd8-473b-a545-0e6809369b43,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4439b71f-53db-4903-a0ae-e3105c6b2b55,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ebc5457-1eb9-44d0-8635-971cf3033c38,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,be4a784d-5b1f-4dae-afa7-30c2d1f9ea39,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,de194628-9594-4ce1-baf3-2f9740126198,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bea87efc-5c68-4c3a-be98-5642a5555a4b,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e07fc2c8-cf4e-494e-828c-ed7254840f95,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,08025dcb-7009-4492-882c-1a77a4731b2e,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,12585790-7276-4386-a3f9-b471eaeb0c63,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,263fdf95-cdc6-4814-b4e0-95cee46af58d,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3b2cb9ae-0d38-418a-8683-54a96ba595e1,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bad4251b-7a64-48bf-b15c-15794a141112,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e97766a8-5afb-4491-88cc-10fc26baefbf,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,679512f9-fff6-41f3-84be-8e92ca911867,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a9c29a5-3d99-4557-8d2f-ede2b8703347,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,0dc251dd-08e7-4b89-9701-a535a8a80ee8,"4/16/2021, 9:22:21.634 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,773b34e7-7d42-47bf-b647-b522c17131f6,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,66d25573-7929-458a-aecf-57172d8c6b6b,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e8f63e0-814c-4db9-854e-9901cef2f1dd,"4/16/2021, 9:22:21.634 AM",,,,,,, +\BOARDROOM,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,19846643-f77c-4eeb-a9cf-4b27f90081e2,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,57f5d4f8-8843-4bf9-a46c-f92475fe7e9a,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,792d02df-4c0f-4b9e-882b-c3f7903ed0f8,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\USUARIO1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,631f9f46-e14f-4c79-863a-16448065071e,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9d607178-d67c-471d-9506-239ce6718427,"4/16/2021, 9:22:22.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46d0bd33-7a30-48bf-9b15-daeea0bc92ef,"4/16/2021, 9:22:22.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7496 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,05c5ac83-dbb4-4f84-ba43-bbb4bdd3c59f,"4/16/2021, 9:22:22.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3306d8c-a5e7-4a66-8c65-d2b4cf53aad2,"4/16/2021, 9:22:22.409 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,67eeb122-5953-4aea-9657-dca80f358e54,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8b067c85-f246-409d-8731-512df8074fc9,"4/16/2021, 9:22:22.409 AM",,,,,,, +\KEVIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,824d5d6a-a651-43b3-94f0-87257f18caa9,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6216313-0201-4b87-9f8b-8af41c08aeef,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3d32a2a9-6b9e-4353-97bd-e2c5b1a43ddb,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2c474946-a60f-4652-81a7-7a5df87f8410,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e1bfd9ac-808e-4305-a60d-805139ae68f2,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d903d9d3-e883-4d02-8f37-2ccbe0cb100e,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,89436341-c632-4f63-a018-1c73c0d9959a,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c4bad632-2a05-494e-b2bd-1cf326768e34,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,183c09c3-ca05-4193-ae18-b5afb607f044,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,25f8efab-fcbf-4630-9bc3-a91042a9f049,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae23a7d1-eacf-4e47-93a7-39ae14b9ebc1,"4/16/2021, 9:22:24.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cd51e1a4-71b6-413d-83d6-f996853ec60d,"4/16/2021, 9:22:24.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a65e212f-50e3-4dcf-b6d8-016ece2bfaa5,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,32911c41-b5b6-4f83-9bb3-d48b6f76bd3b,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,96828939-2ea9-425b-b9c2-5a3ee4f539f1,"4/16/2021, 9:22:24.063 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f52474d4-2f52-42b4-85fa-3bb03bcd88f8,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6524458-30e6-4d91-ad54-e8ccd92c29a7,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e94ea5ae-c994-48bc-970f-f20f13b3301d,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f4c33a6-acbf-4347-8cc5-3e0c28ef4204,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39900235-61a5-4595-a441-3394868aab34,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0103f73d-ca4b-4309-82b9-e3b9e86810d4,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d1df34a-5d36-4d2d-90b5-71497c546ed9,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edc06586-968b-4c42-92e8-fe11754d1d79,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12231668-493c-44e9-992e-05e5afdc1a64,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fce4ae25-ca7f-4aa2-be5d-3f1c26428469,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9201e9c9-de2a-4f78-9619-8899359040d6,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd6bee20-86fe-4dab-8b4f-4727d0952323,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3b19a3a-3823-49a0-9d91-e366f3435a41,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13a770d8-650e-4c50-96b8-cf9849dd4720,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8172f974-4c14-4d1d-a5ad-7d0baab88140,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03a90af1-acca-4ba4-a8ed-d54f3e725a50,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,236bdab1-8d91-4aad-97ef-c90869057034,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1efa3b3-ffc3-4ceb-8094-52c41abcf8f9,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb60d4cb-b603-4251-9c53-18b80ac7f44d,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,623a2583-4611-44af-98b7-7e9fc1441fd1,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6947e2c-938b-4378-af7b-5850aa179847,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,677868a3-5c79-41e8-bf00-2d739962185f,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa1b1029-82a2-4d03-9601-79946b805f62,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b839669-b7af-4283-835b-aff4c66ead76,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fe6c3cd-a8f7-4061-a0d8-1a2cab139fed,"4/16/2021, 9:22:33.727 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0626b6be-e438-4f63-8c2a-5936682835e0,"4/16/2021, 9:22:33.727 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78f97ea7-781f-4e9e-9dcc-bdefa4fa3658,"4/16/2021, 9:22:33.727 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f60898a-4832-4672-8dda-cb20b08f5fb2,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0a531f3-89a6-4773-8937-0b309ff3536c,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f40769f-83b7-4043-bde6-6cbcba9a5182,"4/16/2021, 9:22:33.727 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ce60eb3-af0c-45d3-8db4-5510b4849749,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd63fb5b-16b0-4280-bc38-6892c80a90bd,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d682d73-b463-447d-91c4-063411e4d8b9,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,095a646a-7dc3-4dd2-99d6-c521455bf7a4,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\WJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d11a0eda-5cb6-4fd3-9d02-13681a2f4268,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,074cc5f4-f520-40c2-818f-fa9bc8be0ce4,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3ae90a7-2f1f-47f8-9bed-9a507da5f5cb,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e29c6b7e-59fe-4d01-aac6-6140166a9bc7,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9467053d-e504-4f1b-8073-0a42e153162c,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d91b8ba-b7cc-4535-942e-9b050e68fa16,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,358a3adc-c60a-440d-bbdb-bb1ba0d3e691,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\CYG_SERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd44a241-7490-4abb-8405-429df72bee4a,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16330a09-577a-4930-83b1-e1055c7954e9,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e64e036-f3e9-488c-a0a8-bc4c04203de9,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4751cdfd-c5e9-46dc-baa7-1dfff328457f,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93d78fb2-a2cf-45d8-8b3a-82e41e39eb3f,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd683514-7b6b-4b6a-8ae7-4c6033335926,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4780a2f8-f9bb-4657-8b8f-41ca480308af,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd34258-fa15-4d77-8a5f-ca438b44b882,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be864434-7b85-49a8-b271-3a96a085c924,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20a39e47-0bb2-469f-903b-af5c77bbde12,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0c6b4e6-fce6-4b7d-a5b3-08f38a057554,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2610b72d-aff6-42eb-ad1a-eb56cf8342c0,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8542347-93d4-4761-9813-cd6ab3a27c14,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\IMAGES,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e9c510f-f66a-4ed6-8c65-7e30ad7a2ba7,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ea44f69-f0df-4870-aa10-0813ee42cd00,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1ca04a-9455-4418-93ef-657cf414794c,"4/16/2021, 9:22:34.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aab7237-67c4-4318-8a33-1ca43276b352,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9fe5659-206a-4242-83fb-da1acbcdbfce,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a6dac36-1965-4a2e-8c68-a49c5f0f150f,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63d41510-8bde-4eb5-9daa-81030b2e4f85,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2c5432b-1296-49d4-9e9d-b809381e088a,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d35247-24c3-408d-ab8b-31d709164fe1,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ab8eab4-7be1-461e-bf96-66a51697dde2,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,451256c8-9b02-44fa-930a-464f968a478f,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99614456-d4d6-4506-997b-c00fb94a4525,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5073252b-d0b3-4a69-a90c-89fb2651cdce,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,818c5a6a-4239-4245-8f60-2cabfe266b52,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eae6dd6-6cc2-45d1-a4f8-02474f94e1f6,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312e80d6-ea12-4b1e-b19f-3689675a3317,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3bb5d3e-0c61-42c2-829c-335aafe4c513,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e1de61c-6e80-4a8f-bd91-274504333e1e,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,348dec6f-714d-4d43-b297-3eaf65daa995,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5088776-2176-4167-80be-24a778825f70,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b99f95-8b8e-445f-89f1-15004c9f621f,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5244b9a9-f883-4ec2-8af6-0b382cc3c65f,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2c6c2b-6cf2-4f67-becb-f7c1829c4a5a,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95ac0712-56b1-44fd-ae4b-d8814ec7507d,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b713e8-a166-46fe-b0e9-709a9bdd3996,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e7f1a8-db53-49cb-9936-0f67f05ff098,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80685801-6d82-4d15-8753-c602339bf8ec,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605b9e06-9a0c-441b-b5c6-90d51b6d0380,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5d14ade-0408-4040-b0a4-a6847300a742,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faacc124-efdd-42c2-a940-239bd85a971b,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,373a88c4-e21a-4da8-bca5-61cfee8ac4fc,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0178f1f8-517f-4323-8779-ab8e58338e61,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be3318e4-c561-4428-9b29-d67dfea9b4af,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98bf4962-5116-412b-8185-00b6da235971,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3865d96-1fc7-4105-bcf9-0e99c44554d3,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2571eeae-14c9-4946-be14-dcde2c4eaf17,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd40e93d-700f-44ba-a3d2-d569327db0f9,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7684 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b3b3fca-efe8-4128-a56c-469624f964d0,"4/16/2021, 9:22:42.872 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,163b571c-c024-4b5c-a2dd-0f8ba83850e9,"4/16/2021, 9:22:42.872 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,f1f80170-e608-4d46-ba24-cdbf84b58bd6,"4/16/2021, 9:22:42.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7740 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f4b17b6e-33ba-4614-a3f0-ac2b66eeee40,"4/16/2021, 9:22:49.282 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3a780b5a-c18d-4eb2-84d3-b4890424fea9,"4/16/2021, 9:22:49.282 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4636e48-7a57-4564-89c0-b6a24e769973,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acded2c-2690-4426-882f-7a3f1fbf845c,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94d7447c-731a-484d-ae35-61a3080360a8,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4a7df27-6ace-4e4d-afa8-b4de50b7f9ef,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a707ee89-07d7-4d27-909b-02365bf88e1d,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaf79998-69e8-42fe-97fb-544ae3db3d7f,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba5b2ad2-a716-4810-9fc9-5b3968744b3b,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,669b9381-cbeb-4f82-a331-2c700f1c9a09,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c65a379-f6d6-4f9f-acd2-fc9914094322,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d3ce535-9e08-44e2-a6eb-fe59e87b4d92,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\TRAINING1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5048b89-70fc-4826-91cb-8afb5f894160,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0294bacc-dceb-455a-bb99-4cdaddf3297f,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,356e2bae-e4ad-40dd-be3c-f7708f3cc945,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5274262-3545-4c0c-9cef-61fe03d1b9d2,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36dfcf97-1d6a-41ec-9cb4-301934467535,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee27f428-b7b9-4423-8aea-e5710812332c,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f63c9df-b3f1-4f9c-b898-062bb1f11b4b,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78f10af-e553-4c22-bd59-dc1e93786321,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40928250-7d03-490e-9a03-d417628d1f6d,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81b62aaa-29ed-4e6b-9235-9c74a281bbdb,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b939ff2f-3ee6-431b-ae16-ef692eff3c7a,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c598ab98-d011-4908-b034-67115044f7ab,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dafabd71-9fe6-41bd-8b8c-220a773225c8,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66c37d4c-9b7f-4440-ad8f-31792960b791,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff0e2a2a-d896-4843-8616-5c6bddac414a,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6c862da-1487-46b6-aa7d-a69023a76bde,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46e728c0-2339-4194-b5e4-0bbed453dc0f,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51e76b13-b7e5-4d90-9640-9b07e9c697ec,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e002e9dc-e8b2-4496-a96b-dccb9d549933,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4302926a-cc40-49b8-bbe6-ca3326a2e7b5,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f2ebca-de3d-4efc-ac71-080e8d6ba7d6,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e3a1d4b-31fd-4439-a292-65445fb61585,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19bca247-0ed7-41a1-9805-2ea2e8585e50,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c263e94-537d-4ffa-83be-82c966013a22,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa96a1c7-db76-420d-b7a3-172bd8f4f03f,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ec6ee99-33b0-4df0-ba29-f53f2ef0c5e1,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6485ef4-500f-4b4c-a936-243081112bd0,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b771e3e-d6f8-4c62-9a22-0e6b0f8c16f0,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8a7ab45-8d70-440a-b61b-e224cbd65c52,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a7ec84e-f0af-4b01-98ee-13230996c078,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84fcb97e-f27e-47dc-acbd-2afaeb552e3e,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea220ed7-5bcc-4be7-b214-da9254300419,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f850163a-d998-43a9-96e1-16893ed9c59f,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,902b029c-19ac-445c-894b-959d2d1d5c32,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11aa238c-83f8-432b-97df-19363a0d27f0,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8411ec9-9119-4148-a2b8-32fc9e13eae5,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4cfd0578-7819-4ea8-8338-771cb6eb9091,"4/16/2021, 9:22:52.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,de3e8021-c01c-4774-a34e-423fd4062a6c,"4/16/2021, 9:22:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2828 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e39ab594-aeef-4eb7-80c7-019325ece866,"4/16/2021, 9:22:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,232e4a52-c448-44f6-83f6-919e73a18759,"4/16/2021, 9:22:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0b88026c-fd3c-456c-92ff-941af8edc5b4,"4/16/2021, 9:22:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1f591609-a10f-4e2e-b6c5-7eac8034b8f1,"4/16/2021, 9:22:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9616 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5584a7f7-7714-4dd8-89b7-02f0bcd8a0e9,"4/16/2021, 9:22:56.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2152cf48-e671-4b97-aeb3-b45cbb185def,"4/16/2021, 9:22:56.997 AM",,,,,,, +\ORACLE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a523c447-244f-4838-bf92-f526db1deea9,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\MEDIA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4248180-27db-4ba7-8cee-2df287cf8874,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f66b7727-657e-4caa-bd96-64c993c19635,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\OPERATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a7cf4e15-67ff-492b-9d76-76ef95b03f3a,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8e2a62dc-926b-4a27-a526-436bc4495d73,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8297a776-ffbd-4092-b4ed-03932128af26,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\HP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3a465427-25b0-40e0-a33d-fbd30a0dfa34,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0233595e-ad10-46d9-83bd-4161842e72c1,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd69a126-61e5-4fea-b47a-9d74a6467b62,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c9b7543-b46f-43fc-856e-de34dfbb5e99,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f23c7f8b-e4bb-4e56-9718-42446bbb13fd,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12a0e98b-82e2-44de-8640-df680ffd2979,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39f7b27c-693e-4ea9-8b82-26dd44b7b851,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b550ef02-1b0a-4742-b0d8-7d04d4a3d4f5,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\MANAGER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425a982a-fd3b-4cb0-80cd-7fb37df81f45,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2653b497-2f8c-4572-a1ed-46a03d889cf8,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43a1a95e-f00f-4fec-9d22-72db2a6841bc,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb9f4fb7-5259-48ee-bd50-035b69f55b24,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d33300c9-5515-4a0b-96d6-ba6e7a3ca6b3,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27bd0e1d-5941-46cd-aab7-7edcf4376982,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51625208-6917-4b13-b145-7c7483470fed,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f0ca082-d3a7-4c8e-b372-b4556fd0edef,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc0aa30f-2f3b-4992-b2f3-976837133fe0,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25227f55-1ac9-41e8-b350-02ddfdf7de69,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64a08f30-fa35-417f-a911-be0f0400e41a,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8e83eae-7a52-4a8a-bb37-f0c1ede76250,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ebec1d-c53c-4ef3-985c-b8845f87c854,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65dbb489-2ff5-41c9-8f38-c3b317fb1eb9,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f492228a-abb1-45a5-a458-da7a25119aac,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,995dea4b-9097-461d-bb93-4d851dd3b911,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ebb1aa1f-2211-4e2d-8fb3-64ebf8981fcf,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1f51a1f1-96cb-42b8-bd5c-304f7cc6cfc2,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9be55075-9714-4010-a751-45ab95eabcf2,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,55f80da4-8874-4a97-a7c4-511d04544dab,"4/16/2021, 9:23:03.066 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,4dcbd80a-57bb-4efa-b957-dec6d5bda227,"4/16/2021, 9:23:03.066 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ef9301e6-0839-486f-87cc-56d4c86c21b1,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1801ddbc-8375-4bd0-bdd9-f23b0ff6a312,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41b2031c-ac45-46c5-8c6b-eee46c26b8c5,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e6d554b0-2ed2-413f-aa50-83715434875e,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x865c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,58726cdf-7490-4089-b57a-a8e41cd62c8d,"4/16/2021, 9:23:03.066 AM",,,,,,0x865c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x865c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,2b988848-2984-4a60-8a30-eaed1d325c6b,"4/16/2021, 9:23:03.066 AM",,,,,,0x865c, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,93f51299-6a0b-413b-ac56-6d5bcf77b88f,"4/16/2021, 9:23:03.066 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,3e4074eb-79ae-4e5b-a2c6-d1e2a63b0384,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,25be3d06-edd8-4f1f-b501-ebacd141b9c8,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5368446c-2b9d-4c56-aade-286fd4636826,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,9366b106-b0f6-49d0-8eec-172dcb17c2e2,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,72724226-0626-435d-8b87-64ee118f049c,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e5ce450f-4f0a-4f64-b1cf-da0525f64a6e,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,427472f1-11b4-43db-b26c-b10eb5215faa,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c06b54ce-5d9f-4c37-b5b7-f9ffed34f0dc,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f4d97cb-570f-4471-822d-e4c7598a011e,"4/16/2021, 9:23:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,72263b32-70b3-4311-9472-0c5af41504e0,"4/16/2021, 9:23:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,92840329-9e91-4673-999f-0dceffe6feda,"4/16/2021, 9:23:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4840 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,591ce745-1eab-4658-b4f6-a4957f26f669,"4/16/2021, 9:23:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,da9bb33d-b851-4259-8105-240886a17b98,"4/16/2021, 9:23:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4652 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0e47d284-b99f-42cd-84e4-2a145a91057f,"4/16/2021, 9:23:09.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,133f497a-0de6-421e-a0f8-7723147a52fe,"4/16/2021, 9:23:09.896 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3373768-d206-44a5-9d9a-ba7b2f8f9927,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52d67ab-1b47-4772-add1-0798291f4d52,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c63db52-22fe-453d-adf5-e7900682ff4f,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eda0263f-cd30-4a2d-b0b0-b65e54255d7d,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15941b1d-5b48-4e7a-a26e-dd026399c95e,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2250ef41-5301-4f01-b4ad-135f40de60e4,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd036473-7f89-44cf-9e45-f3e3af1d91e2,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,602edc9c-81d0-454a-9571-990cc5362d6e,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,713bd0d2-e80a-4340-9593-09e585f48c5f,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3fc1841-71b2-443d-9e2d-116f31afa866,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1d097e2-d071-4b61-bf99-7909d1f51526,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6298878-c9d9-46e5-8f8d-31e0720856e9,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72aa4256-248c-439c-83a7-95e661a2a448,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605b8971-4a6b-4d97-8359-8eb269da6b78,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf86abe-605e-40b6-9a94-6c0878275a78,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e15768-12b4-4ef7-b39d-7d384f400757,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20096e36-e82d-49d4-90c4-8a6d4a831dd6,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c6acba-d85d-49eb-ae89-ed04fdcd3d80,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca492995-f8c1-40f9-a85a-785ae10b3c01,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81ee6176-2754-4f22-ae66-6ee141d2e121,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7c3bb4e-8a16-4553-87be-9f3d0faf68a0,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b7bba98-874c-40a7-acd2-a9e884b1f062,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d80803-c5bb-4889-9cd9-7a4367486fde,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dac8d0a-5c1a-4c3a-888f-043432bb0544,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e805041b-6394-44ba-9424-8a7d9e3a486e,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9198f19c-a33d-4300-82a1-dce52a284b1c,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\JESSICA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b95ecf4-f867-4f4c-a1bd-26282bfbbc83,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1f37b2b-e7c1-4bfe-847c-005bdb43dd4c,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,003aa844-143d-4216-b5fc-432b91b0882b,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,106e2603-6948-41a5-9e06-2ba990c587a0,"4/16/2021, 9:23:05.726 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2412659d-5dbf-4537-84a7-00c4043de726,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\DOGEMOBBIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde11043-370a-4b0b-a83d-6d7b3bbe1aa2,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65d12bfb-69ef-48e3-8343-d22889c893dc,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de1c7476-73dc-4df1-807f-883132682c78,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f136c8b-deac-4f5c-a0a2-751bb7e5cf11,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7be2f7be-29d0-415a-abb3-21ed3d9c9d03,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b1977c9-9671-4ce9-8f4c-27c9b24fa0d4,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a71a2928-1818-400d-b1d3-123e8554a47f,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,826bf915-bd05-41d0-92a4-5b077c9d5685,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed27134b-a887-4e17-986f-e53d716f9ccd,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\POSTGRES,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a82477f-2438-4758-93a0-c36fec747dfb,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cad05c3a-a28c-411d-8d12-9857020ac3d8,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e8773b0-a541-49f3-9487-2faf7a66383f,"4/16/2021, 9:23:05.726 AM",,,,,,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53a66c28-9ea9-4b37-95ee-365f4e1e5475,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cde8e87-f354-44bf-8ec6-9422560f4f98,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,612b2c28-3ce8-47f3-a791-85afab3b57e6,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,498e13e5-a779-41af-ba74-2ee908d8ea91,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a936e334-cfaf-479d-883d-25a28bc1cdfa,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3b63c14-4165-4519-8c69-d126a92848f7,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04d1735c-4685-4c65-80b9-24226758f9c0,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84079961-4e64-4603-9f5c-a879197c86dc,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f12cb76-4014-4d45-8d9e-185123e45fcd,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4eaf8d0-51e9-48b4-9424-4e9e4aa5fdd6,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\INFODBA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14c78b4d-23aa-4ad0-802f-b3811e3828c4,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7b3e4b1-09f7-450a-b26c-0d991fad7995,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adb2b226-6e79-4f27-897a-4eba3be95e44,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52bd2fe7-b925-48b6-94c0-1528721b9c95,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\COMPUTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25e32bce-ce53-42aa-8a3c-b8b11735cdad,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53bc94d1-e52e-419e-91c3-611d1e51392e,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d274b55f-44c4-4833-9b77-8d119b722d0e,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,517726c3-71ef-4a1a-b95d-28acbcd6792a,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86672a15-925b-4083-85a8-a2f4c3c6ff3c,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87459e48-484d-4aeb-b4b6-2d445abe9842,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5263c69a-7e0a-4412-95b9-706278b29678,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf634d05-5dda-447b-a6fc-30eb101b7e7c,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,787eaaed-a26c-40cc-9879-c25909b2d432,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42842055-4339-4eff-a792-a0568d030687,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf39dd82-6f00-4985-b645-0cb6acbf62e1,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd78523e-1cf6-4b66-baaa-7423ddb54973,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ce8044b-d8b6-408e-accb-b46eb0d4568c,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,760510ce-07ff-46fe-a7ae-7031f3165d9c,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7c99cf94-a3b9-4b52-a575-220cd7181eca,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 520 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,da3c9c9f-ace3-4fff-984f-7e6d6473a68f,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee5969db-2bbf-4a67-bc39-71aefa77f3a3,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,0787bc4d-adc6-4a9f-9244-4a5b8d340c52,"4/16/2021, 9:23:26.629 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8c7854a-d253-45d2-9e08-ab6708013ea8,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,dd4a2310-eee0-43da-b7fa-912505caffe1,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8df7d56c-ac29-4139-b01f-6c1edec67d18,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a067f24-18b3-4f72-92dd-01e00708459e,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a95d6910-b60d-41b5-8731-5a18946b13e1,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9460 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8bccf2b1-16a1-469a-b599-05c946d51b93,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bf0759d1-3a48-4f4c-a57c-2b2d3be1df4f,"4/16/2021, 9:23:26.629 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7002e1d4-d53b-42a0-bfa4-8fb974b7101f,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c207d318-f6f0-4192-b461-996a254e0b84,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3920a54-14ed-4807-a245-8b09ea01679e,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9030e54c-0f60-4df8-8fa7-c807a0bc98b3,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,150989ef-72b6-40cf-80f5-06744f3cd419,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2bbd035-fd02-4987-9ddc-5cebb5f04903,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecb3303b-278d-4302-815e-d7fbb3aaa9d7,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de506f80-b6df-4208-9b70-07a223be6cc1,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2291233e-22f6-4700-a3e0-acd6eaa027f9,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a965a08-551d-49fe-ab77-2b72dc0847ca,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,422c46cf-082b-48eb-ab93-795066b8328e,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dade73e-22ea-4c20-b9fe-f6d13b9ba612,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b86d63-bc6b-4624-bd4a-6c9a2a5473dd,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,346a8479-eda1-44c0-91bb-f0d0b8258a36,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21a58d99-8de7-43db-9958-e20f1c0463fa,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32c01d28-cc81-4f40-ae4c-6ab22185ba71,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a6bb2f7-e383-46fe-8211-b0f31cfe93d2,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaaf0503-8ee0-445d-89c4-0d1ecda2ef23,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56fc9956-ab0b-4a46-8c56-86abd8ee7e0b,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0c6da2-7713-43a1-9a58-20e47c5f7815,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d147acc-4768-4b6b-bafc-04a37d413278,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae0bfca5-243a-45ef-849d-921e4068f824,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6d09ea-15b9-415f-b728-ee703af8d1f2,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de269657-b7fd-4b69-ac24-3e722e320207,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0618065d-e142-4594-97b7-780645f10ff3,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ba09d6-5cf4-4002-8a1f-240fc7f9d8ed,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2a60e34-5272-40c3-9c97-111a1dab458c,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb121160-bf6a-4da0-961b-8450dabc9ee3,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b850bd-08e1-46b3-a58e-1b5a56102b0f,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a50bb00e-629c-4f68-bc90-87899ba64de6,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73cd0a4a-42ab-4cbc-b11c-5f101621701b,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7080 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef2ecf81-b54a-41cb-964a-46708c9d9a09,"4/16/2021, 9:23:25.141 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,93d2e4c2-a61d-4c78-881e-c3e706b39ed7,"4/16/2021, 9:23:25.141 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,831968c9-4e75-415e-9b73-3b7890e2ae62,"4/16/2021, 9:23:25.141 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e04b667-b12e-448e-8fa5-1790ce920f70,"4/16/2021, 9:23:25.141 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d2be56-45c3-46be-8307-be40a125008a,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00d24a3b-9317-4d17-898c-e739954c0a82,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84d11953-0754-4e70-9717-7777a3aac71f,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c93d45d-b39e-457f-9a29-527dd49c8477,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5488e62-0520-44ea-8fc5-8d763041faf7,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4310a596-7f83-428e-9522-8a86bd158a92,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b6a1a8-3f33-4946-ae7c-1779f488f829,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b737c3-ed5d-41dc-a972-bc73280ab64b,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f033d861-ddb4-4b98-94ac-eef227a2e428,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dd6ae2e-6c05-4145-a739-c93d6ee38a2d,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b50f0f54-8d38-4437-bec9-d3c14157ae70,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b0776ef-18a0-4384-961c-9e0988378aaf,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79e335c2-748e-4401-a57a-28c8334f10fc,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f75fff4-46f5-44ff-8abb-d07435c5f0eb,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,df09f72c-917f-464d-8a59-be9ea6d331a7,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f2fea2ae-3220-4106-b7e1-3ac7b3ecfafb,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6188 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-03-31_005118\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af80f5ed-0455-44b8-ab6a-55dde4abdef5,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5324 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e97376fa-2483-4bf5-baf4-1327c5b3d108,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,705ce005-f727-4db2-b998-ceec3bff15fc,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d369ee7e-5b19-4913-a46f-e4efd4251c72,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 832 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-03-31_005118\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94bfdc9a-fe6d-4d9a-80f1-17c9d2e74f83,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dd9c9039-da3e-4c8f-9db8-f062c9b466f9,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6256 + 18 + %SYSTEM32%\CMD.EXE + 32 + 25D4CAE189AA05EF5AC50A92649774E9527603140F67BACC08CB5B59E4C33B26 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.18362.1316 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf4d9e1b-41db-4c70-b0f6-7c6f68b2b7fb,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3288 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d8aa8b19-b78a-477e-bdaf-05100e067880,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3e90781f-c2a4-4a35-be95-25dc47f286b8,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0631ed01-2cfc-4ecd-9ead-fbf30a218b36,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,20e1ae72-344f-4bdb-9cc1-72e505d66485,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,afcd03cd-6f2b-49eb-990d-b0042559ed0b,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4804 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,107233c7-c4bc-46b1-a59d-09e01776b3df,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3592 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,84b08b6f-9992-43d5-9adc-ea2f82e2af66,"4/16/2021, 9:23:23.729 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af446d71-520e-44d9-8af1-a151c50a024d,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38f086b5-18e0-4080-be8e-913fccd83d68,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25d76174-9ab3-4789-a869-8dcc4e19f0a0,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,54155c87-c8b6-4e7c-99bb-88de598e26e6,"4/16/2021, 9:23:38.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d24783d6-eb76-4017-b170-292ca811a90e,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ceb9482-c49d-4f22-93fd-bab8e25dd9a4,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73741b81-2638-4385-94cf-8cff7713ed9a,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9250c36-4163-4c64-a425-fd63bb8afef6,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f3af68-f7b4-4058-b574-13c035f67d96,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,facc30bd-39cf-49ee-a53b-fdaf994f284e,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8bdbf2e-6b60-479c-943c-cde933a094ea,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82bf534e-ddbe-48e5-a180-401b7a7d1704,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62e5c0f4-9636-4514-867d-45675dd5a24f,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd73d08c-5871-4dce-9e6a-f0a9875ed666,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d69664dd-9390-4e28-a0c3-95e3f080d98e,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f3b2972-5f62-4c0f-9351-f79be37863c7,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,135fd5bb-a9c5-4245-a077-b1f00cc6b048,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a96aea0f-779d-4208-bccb-d69767467609,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca27f9c7-abf7-4e02-a56e-5f7bc5bac66f,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0242d6e1-2d55-47c1-be7e-e16bb8ac88aa,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94a818b0-0132-4195-a3df-42390c609df1,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b334ae7-ef57-45c7-984a-43be9ea69810,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,238d29a5-4df2-4850-a29e-7b06c3081abb,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c0cdd7d-00aa-4a08-a0af-8dbcda582dd3,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,989f8f34-ea0d-41b0-b234-60029e7ca29b,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29bd506b-7e24-47a4-a101-625790367772,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ANGELA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71f64fca-c3a5-447c-8f16-0ffd99aad4c8,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed7e3f84-d9ae-4333-8a19-7a1ac48927eb,"4/16/2021, 9:23:38.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,51f0f704-6fc5-4c25-a2fb-fa4c9f17b905,"4/16/2021, 9:23:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4308 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0a500df-af3e-4791-a7c1-9f71bdb5ffd5,"4/16/2021, 9:23:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6776 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,708fa6fc-afb8-4653-82c4-95939a95b1e4,"4/16/2021, 9:23:38.412 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eb514a5a-bc26-473d-b3da-77d083060954,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\ROOT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,156fddc9-cb57-4853-9471-ca90b9226c94,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cb56a842-7a49-46e0-8ee2-c103c4d623ff,"4/16/2021, 9:23:38.412 AM",,,,,,, +\OVM,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f630f9a-4656-4418-ae46-cff0ff7a1742,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2810d628-6235-46f4-93bb-c8c59e03e76a,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\ACCOUNTING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,82818148-8f83-422a-b44f-52e682b7cc6b,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c0c01bf-ad0c-4b80-80cb-8020fadbb8f5,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\MARK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ba129ada-f767-4521-aeb1-3d959000ca7c,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c753780b-0919-4e3e-a8f4-1d8a01d425ea,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94135370-3b5a-4092-9710-c9381e988417,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f97e331-2052-4dc2-b14f-4b30e98b3c34,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1da1977f-8d40-4a68-bdea-4c71bae86451,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\PRUEBA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3149970-c9ac-48f7-9242-93a2377e4ad5,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad2b8073-991f-4b27-a0a6-bef782bfb91a,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71217257-18ed-43fa-bc78-945c3060f6cb,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,906ff8df-eb73-4268-bcdb-7dd7dc62ab2c,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,114f5454-dd19-493b-b153-5e63c816ffa0,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30291f20-6c17-47a7-a7d6-4af8e219a27a,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fff473f-3197-4049-a926-bf864a85b9eb,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42efc1bc-b855-4ef6-bf94-3c4865f38658,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce1c9a88-c08a-4e0d-ae1d-9c48c716ca2d,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2036fbb1-e2cf-4316-9a54-7c309a7a08d8,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa48797e-6bc3-4e94-92a8-f64b61056bbf,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f70508dd-c815-4c90-b13f-607390d9e9db,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af5aad4-fe3b-441c-a734-7ed15c60bf7f,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0a5aee6-59ae-40cd-8edd-a82a7923a7df,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\STAGIAIRE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95d31c40-f7b8-4789-b731-ce2d6a9a3f7b,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ff6129f-6d9b-4ff5-bab4-1b22165b9387,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,015bfb62-536f-43ee-bd78-c64b8e08ce15,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0ed36bf-bb28-458a-89ea-76288fd47a0b,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad4ded40-6c47-40b9-ab06-9e5d8b900bc9,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ec297d8f-bb07-4e12-b794-1c64dd67c5ca,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80e6af1b-6e22-4053-a023-94bd94d5c265,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d75b3c5-445b-48cb-8be3-4c99a7c0818f,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,942d3058-f81a-4f3f-966b-a47e64f27e03,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b3b08121-55d5-473f-80a7-c88f3cf484a7,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,37eac97c-3740-4b6d-8900-12b5c166c598,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,88435e2c-1338-47e6-b7e8-f44cdff55e92,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fe0a19e0-6073-4813-a937-a33a744562cc,"4/16/2021, 9:23:36.118 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4484 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,edcb22fb-e4a9-4f43-8ef5-1841cbb55ebe,"4/16/2021, 9:23:38.877 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5a74cb98-bbe8-406f-8143-3424ff14dadb,"4/16/2021, 9:23:38.877 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,06b39a0c-a9f6-4926-a05d-0b782704cabb,"4/16/2021, 9:23:38.877 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2700f4d-a60b-47d7-ab01-752d2ee2ea1d,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b161477-8024-4c15-9235-85180302a9b5,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7db0b56f-681f-47da-aec4-88a1998b721d,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e430e432-d7c2-46d1-83bb-a2eead1e27c0,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\OVM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5b9574b-4f51-4846-93a1-858862bc8443,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15301f3e-d63c-40d6-be87-b7735022a5ad,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\EYD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,080bb8c7-81e5-47fd-a7b8-9c19522d4284,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40a0bdd8-89c9-4451-b4e5-0bff96c0274e,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\STAFF,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f0f61c0-79fb-463d-b6e0-ecd7010ca6e6,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1717b359-be4b-480e-9811-a9e8528854e2,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c97a0cdd-47b8-4efd-9688-a741b6846d82,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c271df4a-c925-4318-bbe9-ae4486e30f07,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,166a0834-1e58-487b-ab0c-b5bd3d623ca1,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc0f4313-5225-4db3-87a1-32103c6552a5,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,879e0932-d023-4c54-8bf7-9aeafa3ec12d,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2eaa36c0-4b5c-4318-a919-74b34ad29d18,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,039f5b25-ef2b-4edf-961d-fbfb077c6057,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ca66115-1f85-46b0-b32e-d334a62ec7fd,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c0cdce8-0d3b-4ffa-b7f9-3c093ee26673,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4e37693-e81a-4a0c-9a19-aba5396a387a,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9761efe4-fec2-4979-8db8-8b116e9793c1,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7767b959-ce5f-4666-8891-64b53601bdde,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7145320d-e248-4fa2-bde8-2c8463deede0,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b8f11af-9a20-4e45-9f01-3b21884aad88,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95e5b883-de73-4a05-b346-c93bae287ef4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c0ed39d-a6ab-45ab-8e5c-151e9034a3a4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77a996d1-171a-4ef4-b680-9c7f86f7003b,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30635c21-923c-4112-b9e8-efbf63f4aa58,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944a76e3-7f4e-4789-9745-4fd99438ca79,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,784d8c81-2c40-4aba-97a8-7ba1f7c54b28,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aee88b5f-a82c-484b-a1af-61b083cf15c4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18ced35b-13ff-4660-ad2b-78b62115c370,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3037b995-0644-4da4-bfcc-f37c378cec60,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28bc3d7c-1624-4554-84f9-35f398960ace,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e6e4b21-19fc-43e5-9022-dbb82eb6b2ca,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cd81c09-9133-49f9-9ccd-0d459fdafac4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,714d6709-e9ab-44d2-934a-089cd19366ff,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6545a7d3-5a59-4111-914c-26d195c07338,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,717b86a8-1b66-4fa8-89d0-59b06be0bd37,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f909201e-e8b1-4a7a-a009-04912d30eb01,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8b1a47-d826-4ae1-9587-6b6b6ac65cb3,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d35429e-fc81-4ec9-97ac-9eedb56201a7,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6611f8b1-a21b-4894-9222-0618f51c47d4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cbd6ca4-a052-44d1-8c2f-0a4deb2988f4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d2134c7-4636-4f3a-bc25-5ce79507d281,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d95856a2-56f7-400d-a7cb-91258284f688,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9bc0773-3537-496a-b62f-f435380473eb,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8736 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d69c3c5c-b580-415d-8607-8178f5cc1bb2,"4/16/2021, 9:23:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10652 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,15ba80a0-64af-4b3f-b6ea-c8b8b81673ff,"4/16/2021, 9:23:56.999 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f559c941-7b46-433a-8a8c-1c9c39ef4356,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0104c46-c672-4980-acdb-8863caf834b3,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c2e5192-b1c9-4819-8bb8-a930e9195112,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9721e096-f3e2-4482-a7fa-14885ba4fa90,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\WJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,643433e0-4d66-4654-bb96-5248bc13c89a,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8faf44e8-d614-49ab-9627-9eec98cb39ab,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72f8b459-b836-43b0-a13b-5a669bc26698,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14a59e6a-27f1-4b4b-9c43-6c8ee03e65ee,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd7ed6cd-e5ca-4338-99ec-587f10bc878d,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7169379c-d3f2-4185-97fe-4a6a3116ea52,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45e97342-f6fd-48e6-b12d-4f2957c7f81c,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96d2e15a-f3b1-4d02-9b9c-cd82f6c44596,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11fc8fd-d420-479d-9872-b48f41dc4da8,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad3a7a0f-aff7-4ff2-a685-92d220f0fce4,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94c43bef-0f83-4616-aaf5-6c5c5413803c,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cb792f-cb87-495d-9e23-1b85626b0ae8,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f42101f-4132-4651-8104-53b9c2aae0f8,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc7c04e4-a230-48d1-8b1d-7311d65b0b19,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457b0892-3635-4eec-b9d2-eea20740d5b7,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd8b94a4-f729-4ced-b2cd-70f751bd9539,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7a08807-b924-407a-a809-c4c091835026,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7144fb2c-2c17-4134-8e4a-81f7f7bedf79,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f07d48a6-a602-4581-b6ea-45498fd36709,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdf69acf-2ba6-4421-913d-ed2743d30969,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e977236-c85b-4474-b0f8-4efff6da6040,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115dd27a-9cd2-4674-94bc-5e65ebd1b6e6,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5088 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0d0066bd-e7ec-4f10-820a-4c85b176e83a,"4/16/2021, 9:23:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,6ea54e1d-d261-426c-bb77-3e4f8ce192ac,"4/16/2021, 9:23:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5372 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2f670634-ae04-4403-9d0b-5327dd51c013,"4/16/2021, 9:23:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9e7c349c-1758-45dc-a1ff-6c0f620c3035,"4/16/2021, 9:23:49.274 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a2ec6d65-82a9-4dea-8351-31b24a5cfbf4,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4254db98-5800-4fe8-8c76-816b15b5ff3e,"4/16/2021, 9:23:53.073 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14657c55-3747-41a5-85b2-b93375b6a22b,"4/16/2021, 9:23:53.073 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,67ccdb65-efd3-4465-b93d-948bb7783057,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,aed49f10-d3de-4467-9c32-5cc7f4c96974,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\Microsoftvolumeencryption,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2886ef42-c299-4b7a-b75b-315306d200c7,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\Microsoftvolumeencryption:SELECT ConversionStatus,DeviceID,DriveLetter,EncryptionMethod,IsVolumeInitializedForProtection,PersistentVolumeID,ProtectionStatus,VolumeType From Win32_encryptablevolume",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,95946082-6918-4ab8-8a87-51c722a1959a,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),ROOT\CIMV2\Security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,190dfffa-7181-4779-8724-670669ad8b6a,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3b50bd5d-7f37-4035-b521-1d93d50a6bf1,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,802c6e0a-5fa0-4036-b97a-2a5b6c80829a,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d38e9cc2-3eed-4a7c-9e79-9a1b4b6438e5,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,848ba33d-1b66-453a-b91b-dc14d7e1e52c,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,33583c22-deae-4101-af71-403ba3ef4878,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,d8745e1a-c5f5-4ad4-800c-26e81c31827a,"4/16/2021, 9:23:53.073 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,c285c8ee-c5f1-4e8c-bd82-91b89ae44fa9,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,744e38a8-93b1-4a21-a4e7-db3ec5e5a114,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a2ecab9c-b390-4fd8-a042-9f1b0d8335af,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,25d61e44-9699-4c77-b36d-f5432deb2e46,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select SpecVersion from Win32_Tpm where ManufacturerId = 1229346816,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,b6b3dabb-c717-4eda-b508-c61c49e7aaa1,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),ROOT\CIMV2\Security\MicrosoftTpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,20f4eaba-18d7-4a2d-9f62-a85c5b52bc43,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftTpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2403c182-9b26-4ab5-a412-21a38314f672,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftTpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,6f35b08d-d2b4-4df2-b49c-d894b848ef42,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftTpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,635949a6-1df2-426b-bcd5-a2b3ddac0d00,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftTpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,6f336887-ceba-4f44-89a3-2a41812d26ae,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftTpm:Win32_Tpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d8ce6410-a48c-4bd5-8e4e-00c92c67ae49,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftTpm:__ExtendedStatus,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,c7dfaa6a-901c-45fc-8734-e29202352a16,"4/16/2021, 9:23:53.073 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,8bb69a2d-c6d6-4f30-aa8f-a2113db6be32,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fd5cb39d-bc75-43d1-a8d6-ff8da48ac58e,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,06c29c76-2c97-4f3f-877a-f295c6e0e1f3,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,123214ea-8b01-46c3-a9c5-70dd254dddf1,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\CIMv2\Security\MicrosoftVolumeEncryption,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,5c700d33-58c9-4093-b2a6-04ebd6c13cc8,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\CIMv2\Security\MicrosoftVolumeEncryption:select EncryptionMethod from Win32_EncryptableVolume,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,9a985e89-6ae7-4638-b195-b180c63c2481,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,5e2ce69c-cab6-41eb-86c2-c4003fc96b05,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select ManufacturerVersionFull20 from Win32_Tpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,16a4fb03-f509-4990-a986-47603ef67bc3,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,eb74f91c-c286-465f-9de8-8fda7f9eab06,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select IsEnabled_InitialValue from Win32_Tpm where ManufacturerId = 1229346816,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,9bb26bb6-9d7a-4646-b458-2e20f9e8a7fb,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,c3752976-0615-4e5f-9d4d-51674a954c70,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select ManufacturerVersion from Win32_Tpm where ManufacturerId = 1229346816,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,07ac4b3d-e999-472f-9403-e27861113822,"4/16/2021, 9:23:53.073 AM",,,,,,, +\SMART,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,873bb16c-e178-4429-8899-6f7f39ea89de,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,802cf0e7-4e2e-4a07-9684-970121502a9e,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +\SCANUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a2b34b79-39f0-495d-a2ae-3485628910bb,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c8a73b94-6c3e-4517-9ab6-1d9a57871143,"4/16/2021, 9:24:01.423 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8b926730-2b75-4edf-932c-ef717b28bbdb,"4/16/2021, 9:24:01.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0493a495-0621-4e0b-843b-d3f3f559a339,"4/16/2021, 9:24:01.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ef76b027-5610-4254-a6b7-ee9e64210f77,"4/16/2021, 9:24:01.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6912 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95a988c7-284b-4862-9470-1767b8810f37,"4/16/2021, 9:24:01.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6764 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a8061a91-e6c4-4a0a-8322-35432a092595,"4/16/2021, 9:24:01.423 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b4776c0-f605-423a-bb35-f3abac4d04a2,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b688e2d-5819-490e-88de-ff8f77e0c521,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-503 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e0cee89b-c198-45cb-959f-23c8cb610846,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-501 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,96242e81-1563-459c-a7a3-bd59425fa6de,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-504 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0a84f340-0fb3-4ebd-b0b3-4498fdec26cb,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1beff2fa-c1b8-4c70-9bed-903f20cc4022,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aef56ce9-df61-4ed4-9cac-af8462d7e4de,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cf14fcc-2386-45c1-82cf-b3fa664c9a3d,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,455cc38d-9b38-47c1-9f79-6048ea5db490,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf6c2aa5-3a1b-420c-851a-01d4bec0b7a4,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37437b6a-1bbd-49f2-a020-c1fbbf3f9f7e,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,391f1530-4029-4d25-8d04-f170beee1da8,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ffb70ab7-c2cf-4e90-bd9b-fa0b08f8657c,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c4e61f38-1f32-4a05-84b3-2a5f9f5d5510,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,43323556-b59d-4226-be22-94d10d6f5e55,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cf3b349-84ad-4aa0-b409-c657ef7cb898,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0934eec0-7687-4dc5-a4a6-209619d16300,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c64fd303-37ba-4643-98f6-3127107063d4,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f1b9d3c-22b1-4d1d-be4e-ee9c3c162d40,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53b85b49-2e7d-4ffd-a0d2-6b992e9ef221,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a9428086-6dbc-4317-bdca-0943657b02ce,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b305d806-2165-4741-8b2e-bdc053791cac,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3e785dc-dfbf-42cb-a129-7153e625a4bf,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc16742b-42a6-45e5-b8e8-d49e2c6294ea,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c2492043-267e-403a-8181-9804318a71a3,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8372b9ee-3c4f-4ecd-8c47-904a7069e0ac,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5acc5ffb-1c77-4615-97f7-14f5783bec4c,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2d8c6b5e-ad32-4d0f-a698-389c0b875883,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2d36fa7-e0da-4690-8bdd-14f55933040b,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26ffeea1-0e7a-4229-bb60-cbbad1ddf23f,"4/16/2021, 9:24:01.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1560 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b471ddca-0625-4f1c-b1a6-a8b6986b22c3,"4/16/2021, 9:24:01.423 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8388ad5-5210-4eb8-b6c9-fdf1b46417ee,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,595293bf-68c9-4ec6-accf-fdbd6ea3682d,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86d6ed56-d703-46bd-a737-885eecca9f11,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab2f5166-41a6-4093-924f-5252fc5030e7,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bb6571e-0e77-46c8-ad36-73da70fc3f21,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b710d0-ca69-4bf8-8078-becbee4dd152,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ede6237e-36e9-4246-b265-e0bb28898111,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c33ac1d-caa8-4150-bca9-f95c30440fb9,"4/16/2021, 9:24:07.136 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,860f8bbb-6edb-485c-8cfa-67daecfa642f,"4/16/2021, 9:24:07.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39137c8a-9287-4abd-949d-036ab7bfd8d1,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0701e44c-d558-4c68-ac86-7fcb202f7a82,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4976 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fe4eed0-4220-4bc5-976b-03e2fea3a53a,"4/16/2021, 9:24:07.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8972 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,327b810c-c344-435e-95c8-f8add0bd9042,"4/16/2021, 9:24:07.136 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4e7c461-6a46-43df-811a-7ccaff0a05ca,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,990fc5d3-45c0-40ac-92af-dba69ddd4800,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d61a143-b67a-43be-9c9f-1e63d20c8984,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00fb2d04-ba4a-42e2-90e0-2661197816b1,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b96b8903-3f6c-40db-889b-30b03d511306,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5864c94d-6db8-41eb-908b-ff5c58c282c8,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6cb9bb-403a-47be-987a-43775cfa1621,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0488a94-6b22-47c5-8954-c9a2db1d80ca,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9198093d-12ea-48dc-8f8b-fdb2803b3511,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9860203c-3cad-4e1e-a978-617298853d14,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35db45cf-01ce-48e9-88d5-233aa008c474,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4463cabd-bcba-4a51-bc48-40cf5d73782d,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,215a34b8-e1e2-4f9d-8cd7-db716c03d23d,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c73388fb-84e6-4b4b-aefb-eea85573ddec,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3bd31cc2-1047-4a97-ab66-6edd7cb9b5fa,"4/16/2021, 9:24:04.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,36fbbb63-c8d0-454e-96bc-080e9914be2f,"4/16/2021, 9:24:04.726 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e639c9bf-ee61-49db-92f1-903d990b40f5,"4/16/2021, 9:23:58.631 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7492 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c74b917-db3c-45b9-90c2-0fe3d8bdecd4,"4/16/2021, 9:23:58.631 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b08def9e-f7d2-44c6-aa95-9269ea546692,"4/16/2021, 9:23:58.631 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5436 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,97ffa1c6-0db6-47ac-a3f2-e08dca0b49c5,"4/16/2021, 9:24:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1848 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,739305ec-e73b-45ad-8b6f-387bbd75f5fd,"4/16/2021, 9:24:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,113b2359-596c-40ee-97f5-f37153929a17,"4/16/2021, 9:24:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d409f24f-8e91-4087-9a6f-ce1be5faebd8,"4/16/2021, 9:24:09.890 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7e09a5ea-4023-41ee-ad0a-0153f1965377,"4/16/2021, 9:24:09.890 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cec6133d-7ff1-4e90-9c49-38d972819f8c,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,892a35f0-b7ca-4077-8258-4cba5e07dd0d,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6da9effd-14d1-44dd-9205-cae8d0e62894,"4/16/2021, 9:24:06.782 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25878e96-5ea8-47c7-8c4c-36f1f078eff9,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\USER5,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a40a2b4-64f9-463e-97c0-5e9fb3c271d0,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,665f48db-998d-4a3d-a94a-16863869e38c,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33aa3f91-44dc-4c3e-898e-1a80b4000261,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1564d8e1-3916-4d2b-9a6c-28f9c7850cbf,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\WP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d87cbcf9-aed3-457c-b45a-f9bb9b014b6c,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b95bd43b-6942-4145-a681-86a074e3898b,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,788076c5-05c5-4f8e-825f-5cb909f0f9de,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b866a73-5a3f-4278-b128-bfb32144e1e1,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db7b1cf8-6c57-42e3-bc98-0bab9ded4927,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\WBHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfa586c9-b043-433b-ae00-babd0529275b,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d98757c2-0c88-417b-bb2c-06b53573f1e6,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd6075ad-c1c2-41c6-85cf-282a51a5be48,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea7608bd-8946-4976-b02b-5ba1f2b00282,"4/16/2021, 9:24:06.782 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f804f48c-e759-4450-bb4c-7c454fd0fae0,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,545c4be1-8a9d-4d5e-92bf-1e1a8fc76287,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\TUSER2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fbd2736-59c3-41f3-b462-460524fed429,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b8020ca-e554-4ffd-8d70-546763df2048,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,484932ba-90d4-4f4e-abed-5947e11bb330,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e607a14a-0aa0-4631-af20-4afead77c5bd,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00db0008-d5b3-4379-888b-1b67ef5c5500,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21260010-4db4-4430-9bcf-bc295f05d366,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a86d43c8-93f1-4a50-be77-bceb0a91762e,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a30541f-8308-4ae1-8d7f-00ea044d41e4,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7915e4b-957d-47a6-8fc2-84ad78cceabe,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d0c5447-8331-4a76-971c-7368122b7c15,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,829e21a5-d025-4ea0-ad25-9fe6207ee047,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07d4121c-818b-49f2-a812-070e70c3164a,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18e77d5b-f8b7-4947-bc3a-e26a59ba4da3,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ad5f7e-785a-405c-91c4-c3b0480f3c1e,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,183a8223-b8be-4f58-9724-b1ec9421e520,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a9f549b-978c-4a91-9694-78aa82b7551d,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,277df1d7-cb88-4f70-a719-076a8a27e269,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74e8216-344c-45b4-96bc-742b766f793c,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,531db2a4-68be-437c-bb7e-40971c000f0d,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,687b998a-ea42-4fc7-9fe9-ab848d393fe9,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f124886c-290c-4aee-b87a-27d1f0849203,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dc93642-7c98-42d9-96c0-d605c872b37d,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,242f58bf-d21b-4f09-8137-67df5d6ea61e,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd5e6ccf-455c-4d35-81dd-30d9be2f5246,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42625887-cd96-4eac-aed9-5dd1ca09d6e6,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92c3be08-7b57-4166-92f6-52547aa95110,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f22808-9fde-4b42-bd48-c67d2a348b5f,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efe6223-ba25-4a18-95d2-a50ecb6c785b,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8a018b4-341a-46f9-95d6-f3596b5b0523,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efecaba-14c2-4d33-8b57-ed447c1a94f4,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f84f555a-e1e0-4f6f-bdbd-131bad80a0df,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2be7f40b-6b0f-4c9f-8f79-8f5b6f75086e,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac26a613-3ab4-422c-a2c2-a5bd11c84bf4,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,745a757a-8362-4980-9737-29b68a6ac480,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afc8e01f-0a3e-49e7-98a8-ab97618d35c0,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29b75fe2-bf90-44cd-90c4-4d9feda85b12,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0275d143-10e9-4baf-bfa8-ee582a503354,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,85a12519-46c5-4e74-8ccc-a84bb065841b,"4/16/2021, 9:24:21.130 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e55eed3-391e-4467-89e8-bbd41f95e51c,"4/16/2021, 9:24:21.130 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba52034-4909-4e3c-b32f-0a62714b02a6,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ead84fa-2816-4a7e-97ac-20cc9f542005,"4/16/2021, 9:24:21.130 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4220 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea28a16b-307b-4baa-89e3-aec70f6924e8,"4/16/2021, 9:24:21.130 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50555a19-d430-4126-8007-ba83307afe08,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81bcd92e-7759-4d4c-92d0-2d5e2c26a289,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c18e6a78-ceb5-4927-9d93-4eb9d8830140,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6256ce0-dfa5-4f11-99d6-0e05c79927e8,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d50461e-fb08-4cc1-96dc-c4d309c7dc81,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,889854da-f866-46cb-9c42-dd9f88c756cc,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,404dc4c3-a6a0-4665-aee0-8bb1bd765da7,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7100c87-c73f-42e4-ae40-a76850befc4b,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,f6c96a36-ae32-4ddb-9b7b-cca405dd131d,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,f75910fe-c58f-403a-b25f-01dc9c3dd7c0,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftTpm:select IsActivated_InitialValue, IsEnabled_InitialValue,ManufacturerId, PhysicalPresenceVersionInfo,SpecVersion from Win32_Tpm",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4a0f962f-5d6f-4464-a883-c23e5725e1be,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a3e11606-e764-4a24-83fb-6a3a69b2d888,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select ManufacturerVersion from Win32_Tpm,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,a21a2e2d-7350-479e-8175-23714ea68240,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e4b7597a-1993-4f78-96df-9d45c7106a33,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ea1c5f2c-8c54-46b1-a783-c3e6caa62d35,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,61a33274-d4f6-45e5-b170-b131bf0ffcaf,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6b121c78-a907-49cc-8360-331e9346bb68,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2c484425-6f0c-48b8-b00d-d9c8e8ec5470,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ebe86ab-e966-43df-8aa4-23507c2f9966,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8b5fe064-2626-4390-9939-e181787acbb7,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bfe98135-cf7d-475e-b604-29cf0383e807,"4/16/2021, 9:24:24.062 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d08282-db66-4c9c-878e-479ac3b00c39,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0d75c14-3270-41a6-b77d-4c946630241e,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8534c190-c342-4394-acc4-5c9f452bc0c4,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4ff2089-a244-4af3-a3cf-67846ff54163,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9eb1f137-7a3f-46a8-8bfe-c5b24e05fb82,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,665ff2df-ca54-430d-91fb-612f81dcb5b2,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,848308d5-1481-4efb-88e3-e37f63519d12,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72e39190-001e-464c-be6a-a7f6cc807b04,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e16ec07-5a38-415a-a578-2f1ff8c3aab2,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3d38fc7-e5bd-4948-9925-425cec9ab9af,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\IT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40ddae79-494d-4b6d-b8c4-ff0ed9bf3174,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,614cd5b3-2064-4ad6-bed8-396ecfaa5c6e,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\STATION,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2d416c1-3c31-4b1d-b657-7805412c91b9,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc72908f-befd-464e-8a3d-09cc62b6ebcf,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9fbe10-35f6-4ed5-ba33-b6ce6879de3a,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83859d05-d50f-49a5-b559-6c7028d3a273,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,639687d4-f595-4fce-a671-5a07ef10fb37,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ef5c08c-eaba-40e9-8cca-32b23876b7eb,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc260a81-16e2-4c9b-b7c7-e20659472a40,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41bc0cfb-ffc8-4505-9f11-d3d28c9f4ba6,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e178905-1dbb-43a1-8b9b-3c4349f726a9,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29d20ebd-7ff5-48ac-a672-ac241c38d1d6,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef160e6d-472d-43ab-b4ff-0b673b480f0f,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df1fbc33-7946-4f71-a3d6-a7d3980d3270,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98df3615-b07d-4255-8273-ac866e131ce1,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14bdc3c4-021d-4635-80c7-43060c30d243,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,178f1878-5d6b-4768-8dc1-5061133eb8ab,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235f9687-4ec0-4a6d-b157-dac4f1f2d182,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51bd6a33-2150-4e04-a939-c0c2d957b8b6,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74bbadd4-2e78-4ca0-982c-bbf1a6c8763e,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4c2258-6a39-4228-b3c0-7233009f98c2,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cffafc8-8674-40eb-9507-91a05d549e98,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29a7335c-6380-45e9-a518-e835fc994bde,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b64365df-b410-4c91-9cde-1c419c78cf82,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42761769-620c-4c4f-a277-79f3bba129cd,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,190116a3-9ed6-4c7e-b53f-f3662e30a68c,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974d97b3-020b-42b9-bf7e-640dbca95135,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99968766-d72d-49d1-ba8e-dd1c930f7b65,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b867b05-212e-4fc1-8aa9-b6e3073b53d9,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73a5d60-4347-4b40-9b01-79f9ccb0bbe8,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3b8e7a-6218-444c-b352-ea9ed175f5d9,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3a9981d-2fce-4713-b0e5-37c34a3a79a8,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15ffcea5-90ad-456d-b11d-4343137eaa8f,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0928a54a-f7c0-44c3-b0bd-ffe0905f3524,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5aca9633-c960-4c85-ba63-721312df83b7,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec12e0db-2c4a-4b1b-85b8-42776c9d1a99,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3932 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f9c0c76e-82c1-4b8d-b4d7-8de1c4a063b2,"4/16/2021, 9:24:29.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3be5a1f5-af12-4c6a-b6ac-7e46eb5eff73,"4/16/2021, 9:24:29.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2021-04-16T17:07:00.000Z</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartUWork</Arguments> </Exec> </Actions> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> + 13510798882111748 + 4840 + 780 + 0 + VictimPc.Contoso.Azure +",4698,4698 - A scheduled task was created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2eebf44b-67a0-4b58-800b-c4b7d183320f,"4/16/2021, 9:24:29.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2300 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b1f931b4-6a36-465c-ae34-4f851ea195c0,"4/16/2021, 9:24:29.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10888 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb8c0a38-6fa8-44cb-94aa-8afa0414a579,"4/16/2021, 9:24:29.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3359f0bc-687b-4a9a-a9a1-7111beadccec,"4/16/2021, 9:24:29.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,eed03a6b-baeb-49e8-8b54-1e93f22ef9ef,"4/16/2021, 9:24:29.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6708 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c7255f3-07dd-49e9-b686-9f961d4b2b69,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2184 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca148fea-a9d0-44fe-9ca4-3f5c256f110e,"4/16/2021, 9:24:35.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,feb57cd5-4dc7-4f67-91a0-9c606456fe0d,"4/16/2021, 9:24:35.413 AM",,,,,,, +\FINANCE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,926007cf-e9a4-4bdb-bdde-4fd5809621b3,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f0f0481-f70e-4b01-af5c-099d9ee70c4e,"4/16/2021, 9:24:35.413 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4974ba5c-0171-496c-9cb8-8308721b5df2,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a9d8c724-b601-49e7-b64e-e53bf2cec8a3,"4/16/2021, 9:24:35.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b51774ca-be7d-44d7-9878-94049e17cd7a,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc1a2b8b-240e-4f71-a23f-6a29d601cdde,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c42db24-3767-4cc7-bfaa-2cdd7cac5166,"4/16/2021, 9:24:35.413 AM",,,,,,, +\NOMAN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b59f281-3308-40f8-bc09-c8dacc651de1,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5fb4caa-d12c-4b9d-a4a5-8fcf8082111e,"4/16/2021, 9:24:35.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5f004ec3-0760-4a79-88f5-a55612b781a7,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a609d2e8-a867-4cde-adc2-9a41d298f163,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,780a03e2-ef6f-4ad7-8346-3affe0a5fedd,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d478cc6d-38cd-4e31-ac57-09f2e35df72d,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-503 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d704e7ae-4448-4c6e-8bcf-8f7077c06c65,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-501 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c06ac5e-ddd5-42d4-8a22-5a8285e1d7d1,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-504 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6066bdbe-cd16-4dd7-946c-d8763c79bb53,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +\MEETING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d684d7f0-c493-4e4d-9857-90dcf25dff0b,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdd5171c-7f2b-4332-bcf9-2428211d5d2a,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9165f5e-3252-482d-a61a-2bc84bc9e105,"4/16/2021, 9:24:35.413 AM",,,,,,0x0, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dea8e8e4-7acc-4d8b-888b-024b64764752,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93c91bda-2cb6-43be-aa4d-18912c19ca46,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,88e91099-bf60-4735-b74b-80c9318e9bba,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 1824 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\Windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6119623e-d982-4eb1-9c05-29b1b0b57b97,"4/16/2021, 9:24:35.413 AM",,,,,,, +\TONY,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f074ca6-7221-463b-a900-fe7827eca8a8,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42c78450-6894-4aa4-b55f-30418ea38994,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63e48baa-acab-49ce-bb18-3a957bb848d9,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be118ae2-1043-465c-986b-339215faf2aa,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8288ea-8f44-4da1-9a32-a738327c89c8,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b8b15c-13fd-4c3d-bdf5-cf5631b0d594,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,478d18c6-5f07-4c47-bd81-768b5bb2ad8e,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82777da8-40d8-4517-b75c-6c95964fd2b0,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,560348d8-33bf-4897-942c-bc8036ad1f49,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,800422ae-ee9d-4ec7-b0a6-7feda03ea830,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d82899e-979b-4a5e-be40-304deb835b41,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0870160b-9823-4ba1-9e14-ded32916ef67,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef86ff81-d9e0-4f25-b673-460179c9ff95,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402fd5e1-3055-41b8-9b63-c0a8bb3fcf3d,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b58e21cb-30d8-4fb4-ae51-1fdd41cf2af5,"4/16/2021, 9:24:34.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8b93dfd-a821-4d47-8553-2cede8e45831,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f56b3364-429c-4d78-a53b-94860a2e2197,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b08fdefa-fca8-4384-8346-0309d99b6b6f,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26de944e-84da-4466-ab23-d46f3379a077,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c357da6-cd24-41b9-9d5f-b759c9f1ec6a,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a35f787-fc79-4e82-a2c1-fcbeedb7d7a5,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e0c1abb-c27a-4623-a68b-10c003553bc5,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,341ef736-9008-4ba8-95f5-ea7559329934,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c5eabdb-7f3e-4191-b66e-575a0e743865,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04a3d359-4fe4-45d8-b7ea-2e64c2715c88,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5633dac4-278e-46e4-9fb6-bf420449fb40,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,76733afe-1138-4694-9845-08304ece8e56,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a395f218-ea84-4c93-92dd-e07591e657b0,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2cd12d88-d886-4613-99c1-ce3ec0ef3ace,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,f1b775cf-301a-42fd-b099-cac3f9365df5,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,1f20700c-2e23-4ec5-b421-85a94b1d4980,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,42102f46-76b7-4946-b524-47a2bb980ca3,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,244bf681-b9bf-4714-bd43-2fcd6841eb2e,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,18c7789e-aac8-44fd-909d-2834ff20f935,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d54f3ac8-f326-4e35-a950-28cb03e14689,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,0faefd03-bee1-4610-af39-7cf1fe37cd09,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,84dd3c32-a778-4535-baf9-385a65a89f57,"4/16/2021, 9:24:44.109 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78d4d168-3eef-41a8-9eb6-ebd98a4459c8,"4/16/2021, 9:24:44.109 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d9273d62-6858-431c-816c-09afcefac60d,"4/16/2021, 9:24:44.109 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,86e74cb3-9e12-4e89-b436-319f630e91b6,"4/16/2021, 9:24:44.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f90d03b8-303d-4faa-bd37-74ee09336b82,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,810667c1-bb02-4719-8a3b-2401a2d6fa44,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdddd211-1844-4022-8a75-5374b2f25700,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1203fa0e-be48-4a68-9d43-f4843e28be85,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fb9e609-511c-40df-a5ba-b9900c9af279,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b694917-9e29-4516-babf-a9fa8af66264,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,961aba3d-441c-4736-8e17-f7a1808eab01,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,819c82d7-b7fd-490c-bdcf-89968ba418a7,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca05dc2c-b012-4ccb-a0a3-a214e29301b8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7957589-70db-4f4a-a340-082618ed03ea,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0971d9ff-e792-493e-bb33-b9ecc330ed7d,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1808dccb-fb59-451e-b7ec-8486522cdb29,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a001944-6551-4b4f-82f3-d78dfdf5fa87,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42f5d4c9-a9b3-44c3-9c89-b91e1f201ae8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13312355-32d4-4019-ac14-c94bfbcfc848,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84c02521-b946-41c5-a56d-e5a0d24b7176,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec0d90b8-0e4c-4e02-a983-72f63dfa033b,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,127b6305-83b4-4002-a605-a3e50094eda8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6c8c7df-b413-4501-b059-df1fa225c6c1,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba013f56-a28d-4668-b907-268c2505a9b6,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4b778b8-0398-4e20-b867-4f27e98f4996,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,755d873a-b7e1-45e2-bc1e-bcb8d194cda8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57f11693-9e42-472b-8dff-1540ef64a500,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a77f4e5-977f-44e1-8f9e-87ceee9cfa03,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,911975c1-886e-4737-b349-f643dd91cd75,"4/16/2021, 9:24:43.348 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fb6167ba-998b-41bf-af2d-c66d2f3ff2dd,"4/16/2021, 9:24:43.348 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9584 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,53802ac1-8b13-4acd-aadb-5abcb7cb093a,"4/16/2021, 9:24:49.339 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9140 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,440c8aac-eff5-4013-998a-7d6b9dfa4f82,"4/16/2021, 9:24:49.339 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,baa0683f-fdb4-4a63-99ad-fa18773b9f94,"4/16/2021, 9:24:45.871 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4911fed0-5875-454e-bcf5-aba57c51f802,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\REMOTO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099715bd-7dd6-4480-8fc5-60da643edf0d,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7553dab5-4817-4d75-bd6b-3e742e617e0d,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe0f2838-123d-4038-b4d3-75645352c1e1,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,834124c6-a510-41e7-be6d-65f391818806,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92c2582e-b558-4ca7-8264-c11db203fbd5,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf1a908c-ace2-4bef-a7a3-a76bb104ca4b,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50605fde-d2af-4210-abc0-8228ebccce01,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76fc94d1-5b1e-495f-9ae4-031486ba18e6,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8def95a6-9513-4b51-a6c8-24ca536fe69b,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a50e3ef3-e662-44c1-8144-b207da8224d1,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53f68f59-c9bd-4153-9bf4-8fd4aef9b81d,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f4cc2df-c847-4605-9cbb-c0579ae9c1ed,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e49f4da0-74b8-4d73-aa2e-e8b9c98216c9,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b4f86bc-de28-475a-8ab4-502203d29f7e,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ba4488-a272-4913-a511-7348d91f5494,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38a04537-ae15-4c3f-993e-45be953f31b4,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1de73ceb-b5eb-4db5-aade-bd366a6036e7,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af667c1e-640f-4f71-8f8b-37a89e5e02e6,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d60f4533-7aef-47e3-b792-cecca563e4a3,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\MARKETING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b907787-53b8-4895-a9d5-a256da856edc,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fc37bc0-4bc0-427a-bab5-f55649f710d5,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6460 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f74b9fd4-e3e2-4ebb-a02f-ec5198784d3d,"4/16/2021, 9:24:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c2710552-fd64-4629-bb2f-3964b1dce4dd,"4/16/2021, 9:24:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e4e6c3c6-5c6c-4c7e-9071-9fd27cca780c,"4/16/2021, 9:24:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9f3b4b90-0f6e-4bb9-93b9-973993abbc42,"4/16/2021, 9:24:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,da3c7207-6ff5-4fb6-9b70-6d9d3b65d186,"4/16/2021, 9:24:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c9052e3e-9657-4f1e-865f-14b1fa640e49,"4/16/2021, 9:24:52.736 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f9406bb-e964-48e2-b163-c3aa0b819624,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e9819e-b008-48c8-87cf-912a3ef4de51,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f85dfa74-e7a3-4482-b319-92b96e8297c2,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45d3d095-f350-437d-aa04-38f788a80a6b,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a904234f-e9ed-46fb-ac65-9bb29646ea2d,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e1765a-35bf-4ce1-8dea-3fc8e15c060e,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5890de7-76ad-461b-a2e1-5f7a70eae575,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19eb697c-d860-453a-9283-4c9d5ecd88e6,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3e69db5-d6cf-472c-baa5-a274eefff315,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aeb4140-2d65-4c0a-947b-dd611ca3e477,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,792f2884-4129-4c44-a9bf-edca8b8ea19d,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13adfda6-3410-4a8f-b49a-c124d7e2fc3e,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,585f86e3-88e5-44de-ad5c-3b360bdd0dc5,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ceb7591-b76a-4014-9316-930dfeee5088,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb45afae-257a-4c54-94c1-79ceb991595f,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4afab60a-ff1c-4693-b7bf-8b9ddb0409d4,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6f0643c-6c96-4851-9a2c-ebf27402cd2e,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,993e6bb0-ec56-420b-85ab-1c684758e3ea,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06707d6a-de1e-45ce-b7ba-3cb03a830d42,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee69f44d-f523-46cd-8e8d-4ce03c98baa9,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04ae20a2-8f42-4500-bafc-be2aceb71769,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a901acc2-73a7-4af9-830d-89b332215dd2,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f2af23f-9a73-4a35-9788-7a6ee964a2ee,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e70750b-1c66-450c-a17f-53d3f4745c63,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f64e9e5-ab84-4388-a475-9392c0dd1bdc,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9076 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7f2686d8-e315-410b-a2e9-b0e7d2f5a199,"4/16/2021, 9:24:57.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b51fd54c-135c-4827-b2d7-5ed1d52258c1,"4/16/2021, 9:24:57.009 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f3f00404-c2e1-4769-87ec-f626401d1c94,"4/16/2021, 9:25:00.643 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 852 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,74b9f45e-1d41-47fc-9a00-7fd7d69c5dd4,"4/16/2021, 9:25:00.643 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VICTIMPC$ + CONTOSO + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-16T11:26:29Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 13510798882126614 + 4728 + 780 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,29202f83-f593-441e-bcb4-924b2fc21be5,"4/16/2021, 9:25:00.643 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8612 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8040bd85-07f3-4062-80d2-a89e7ee349d6,"4/16/2021, 9:25:00.643 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,35c23b78-b11b-4cde-b8e6-dabad8cbb97f,"4/16/2021, 9:25:00.643 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,979b8c1f-f7db-4905-b650-7293064858d4,"4/16/2021, 9:25:00.643 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,abf69c88-2a4a-4695-9845-f5250c7e45c1,"4/16/2021, 9:25:00.643 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f9758f50-b14d-442e-a7e1-ae3b7fdf2f4b,"4/16/2021, 9:25:00.643 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b1d937-e7b5-487e-be89-394f29105957,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21adced3-72bf-4eda-afce-25391a9e1d1b,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70f8191c-2b5f-40dd-994c-d5cc9f362031,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0e65c1e-3770-4eb0-9cd6-28d6cec47c00,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80d0b164-dd39-4aed-b3a5-6ab0b83f1e51,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66495312-615a-4bfe-b335-afc6897b5931,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0adf5f9f-6f8d-4cf6-b04c-c9a82cc34523,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd441941-2b30-4223-a98f-79bf71190993,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b57a85f0-b700-4309-bd9c-b2866f6075f0,"4/16/2021, 9:25:02.743 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,582cd899-b925-40fd-8d3d-a45bbfbf1f01,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7fd278f-26da-4384-a553-95d628be4cd4,"4/16/2021, 9:25:02.743 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05ed88ac-1be1-461a-8763-dd91ba74ded7,"4/16/2021, 9:25:02.743 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d758886-d773-44e2-a760-237c23b6d8e5,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b6c5efe-98a5-4367-b777-9d12feb432f2,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9deb7432-843c-4b7d-8fa8-7a5b59156dac,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b8af673-d5e1-4306-9aa8-83805972d0db,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38924484-4be7-4641-acc1-4dad57844195,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\MARIA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3734ab9-59f7-4f63-8d65-f8aa3abb5cf5,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\ABCD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fce6f1f6-8e11-45b1-a279-90af19d1be2d,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d047a45-6ae7-4876-bdf8-59047d11f7eb,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,592b68be-b2c8-4bc4-86a8-469492f7f780,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edeb1737-7cdd-4fca-a25b-0c0296a92be4,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ab8485b-64ed-42f5-91ec-b16352076c7d,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d4616b0-3ec9-4b0d-b236-f94250c5f8ce,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\MARIES,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02339a52-be14-41c9-9aa3-e3d3ffca09af,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6207a1ee-20b7-4dbb-bd43-3fab1cfc7432,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0e8a26-3d87-40cb-aa24-0bc32375f796,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,882281ea-46b5-4d55-a015-925606629c45,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f13f4c70-5583-4b2c-ad95-f307c591a537,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d94ffe9-4ef9-4416-b2c5-8b2a672b9cb5,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b786cf97-7aab-4532-be7a-4792d1f78db2,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a5e3692-0f68-4d1c-9c1a-7494b2383615,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2eafa41-1ccd-4074-a64d-964ac9ea011c,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,844f1792-5551-4350-8456-cddc52ab684f,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fb62cde-d173-4ed8-b90e-3748d7657c6d,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c131fc-8d16-4e4d-a704-4c0602f20d71,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b21bf33-42e6-444b-95c1-fabe3f0f364e,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ASP.NET,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3785dfad-6d2a-4454-bb11-42c5c8f8c10f,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c21320c-9d99-4443-a46d-d3444d39d4b0,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03a6d18-7751-4501-ae3b-04e9796845e6,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d55527fb-dc3c-4bc2-90ea-9d6a80b88e37,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,311c7958-b761-4c0d-9f0a-008c8bd097cf,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,689f9e21-4654-4f86-ac2b-c0d3268f2a92,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,334cc8b7-76b5-4dc9-b24c-2cc14e7008f1,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53be3987-fe4d-47b7-8114-45c8fd8801f6,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42489bc-5ccd-4c69-8efa-98232beda58a,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4fa12a96-787b-4d12-bf1b-da3eaba2c7a9,"4/16/2021, 9:25:09.893 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,54900f23-7cc5-4317-b48e-7008b73c3dc4,"4/16/2021, 9:25:09.893 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1516 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6ebf292c-d392-4bd2-b037-813aceb5ac4b,"4/16/2021, 9:25:09.893 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,259d0dd8-998d-425c-bf51-ad168b804f5a,"4/16/2021, 9:25:09.893 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,794c2bb7-e90d-417e-8e51-8fb9fda38664,"4/16/2021, 9:25:09.893 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a237cc3f-1535-4895-93e3-e5496cdfb664,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffed8b78-1dfa-4b3e-be0c-b4a35ddcbc97,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b9436af-d456-49f3-98df-9b837fdb5a23,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,774d2641-4db7-4ed0-b525-0fc8a5d9023e,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cc78c33-1abd-48b2-a2da-20ede6dab2a8,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6b5de01-e0ac-409e-8191-afa2be8867bd,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76bdec8b-86f8-438d-9fc4-507b4f5c3388,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af5b6f81-4a09-4f35-b352-3acb89395ee5,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f4f3fa1-9f4d-4bc3-9496-b2c7d3c6c60e,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53bcfa14-875c-4436-b084-fdad74cd479c,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9b3183-8537-4959-8d24-1c6ed5ceda92,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcf1ea44-45b6-432d-977d-261f7b839d89,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98219a5b-bd3d-44bf-b7b2-1b53a3d73b8b,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a88bef98-1e88-43a0-a62d-d8783b4e273a,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95a835f5-dee2-46b0-917d-f6bbbca17cca,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b172d38-d8d5-446f-89db-1b69ada8072e,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b2712a0-fc86-444a-83aa-c8b452576737,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc8d0c40-19f0-4030-bff3-25080827e318,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4846fc38-a120-4400-b5b5-56c29c580143,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b26da9c-4676-4532-a0ac-0d5ceec0e762,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acb7ee6e-df9e-4eac-b31d-b10a4a6372ff,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4393bd8e-0dcb-4584-aa57-592ca450d06a,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,520b8e39-f9da-44e9-953d-4bc92873b1dc,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1bd18c2c-5fbb-40d8-bae1-1035b3eb3821,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\SOPHOS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6038c076-0dc6-4bad-b9b2-aac1621e3ca5,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 7984 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed2227bd-de61-44c0-9ab7-2c8c5178f037,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,84268ca2-27ce-4d95-acbf-92d68f077b56,"4/16/2021, 9:25:13.423 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,245a2de0-de38-4865-ba04-fb3d1c1d5daf,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\MICHAEL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,65d383dc-5894-4c34-8aa9-b8f9078e439f,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7fb6779a-50fb-402c-a5e0-b4d797073e78,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,de98d44a-6917-43d9-b599-15dea7102227,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SHIR-SAP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T17:18:00Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 844424930139434 + 1824 + 812 + 0 + SHIR-SAP +",4702,4702 - A scheduled task was updated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,81b36a81-5d73-4737-bef7-a3fd1698eaeb,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5640 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c527af8-600e-4881-baec-cf40c10db0f2,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb6b9330-b38a-4f52-9975-c3ebce408086,"4/16/2021, 9:25:13.423 AM",,,,,,, +\SYSADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,19dc36eb-4bc2-4902-85f2-4ea7b29dcb70,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1fd8eeee-a403-451a-bbd0-321c652ab36d,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,51c5cfb6-9a1b-4d39-8aac-76e0db30d744,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,213d0fb3-4acb-414c-94a6-eeebbee4a91e,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,91344c9d-6d89-43e7-9880-11f4d8fc2ab2,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c80d3adc-6bba-4829-91e4-ca151ea5aa5a,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1584 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9bd8e069-33a2-439a-bfa3-d10344c54347,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5380 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,21320e5a-013f-4421-9a4c-e0d27d3f99d7,"4/16/2021, 9:25:13.423 AM",,,,,,, +\BACKUPADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b80f94f-4f7a-424f-9dd2-44e5a54041ad,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,981d7506-63a1-4679-89c3-4f2f5e9a089b,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dd2f33c-c344-4203-b4ff-f5afe5362e07,"4/16/2021, 9:25:15.734 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,747d64af-3ae7-49cd-89ae-4b32d4678938,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,832bcb2c-2ae9-440e-ab07-a7404a376293,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e26fed0-66d0-4614-8b9e-7679c382c59c,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ed43edf-ed7e-45f6-a01c-088dd487fec5,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a61d7f9-7880-450a-9151-453ce90c676a,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8aaa2705-42f9-4be8-acde-69d0d50d1075,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4183d193-90a6-4e9b-b0cc-d7ff047cf6dc,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca6338f2-c11b-4e4a-986e-ed44a12d4bac,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7f849b0-e99e-4cd2-ba9d-9b15baaad3a1,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,795d1c05-02f4-41e3-95fc-7ad972032b83,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\MANAGER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cccf17d3-813a-487f-9c79-96ce2c9bb825,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b308da4-ba47-477d-82e2-0d11cee9cd9e,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3134af62-841a-4f7a-9207-8df60372e26f,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88891b31-c03a-4369-b8a3-6309ad22f14b,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b55f817-288e-4233-a9f0-2be7127813bd,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d625e958-fe01-4ba2-a4e9-48e28ff674bd,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5851e31b-7ffc-4227-a4f3-420244e276dd,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e49481cc-9f92-4232-8db4-0a1b3987f034,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b4413b8-f8a5-48e7-9c05-799cf2f9bb6a,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42c19764-9f31-4732-a0a1-17dc2f5a610c,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VictimPC2$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T18:46:21Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,bcd73d37-4a7a-4243-b688-088515a4a828,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95c8ee35-4725-4bcb-99f0-335b74233cdf,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9ff58a68-f026-44b9-bc42-c59a320a65bf,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,1324c0e1-fb34-4ff7-b19f-391abe5f63e6,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f5a2dc51-92a8-4359-97d2-939b960635d6,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c2799311-f1b9-456f-a07f-9e5ed6e5e1d8,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,019060c4-4122-4b15-89d3-c6214c7426c4,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9a23cfe6-543a-428a-b7c3-4b4f61f98b8a,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cabb6603-816c-4067-82cc-3ef8da9ef54b,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d4aaca77-16b9-49ec-a15f-3a0f0eb6595d,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,458bf508-3239-4384-abdf-387086e106a2,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b46a4467-d5bb-4b0d-a6e5-44e5064b8bf0,"4/16/2021, 9:25:15.064 AM",,,,,,, +\CRESSONA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5d39a8f-e2d7-45c5-975e-21001a941270,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9a69d28-f125-48e3-97ff-6254b5638f8f,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,388c0d7c-7418-435b-8410-338e44c72842,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50dcc2e2-449a-4638-8b1f-a50951ee0587,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9941b0a3-6580-49db-be1a-decf8983323b,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b54753af-3c2b-4817-8a78-9150d7fa4f3e,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f335abf-c5f8-467c-a334-48da8e2d52ab,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e886e09-9685-4abc-8037-5200337fe23f,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,261caa12-eed4-44fb-bbca-df72026df213,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8484f726-216d-40d4-a871-3a7f2352834f,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7e3405f-e9e5-4d35-a7c4-0b260169ba58,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4ab27ec-c364-45de-bcf1-6015f6fb47a9,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b21e71-6418-429b-a34a-0edcccb2c133,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce67940a-d831-42c4-813e-47b74fc00857,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a106b830-6d07-44e6-acd8-023619b07c2c,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cc6f0a4-e728-4336-b798-5d2bfd183068,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5eded83-84d6-4cb3-aa34-bf34cf6aa4dd,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e9d534-60c6-4605-976b-0bdb99fa4e71,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6942c649-58a4-47a5-b56f-160fa6366d24,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a21e4584-f360-425e-88f0-c27a73473339,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8b3bd21-5522-4d20-aa83-7cdc48a2fb35,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10e661ee-b275-49ac-bcff-39ccefe514fd,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47601a4f-ba9b-4caf-834c-7eb6c2f8bcd2,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca702a14-2c75-4c4b-83c8-5b846d750ea6,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f82bf72-26c7-417c-b8e0-179853eea67c,"4/16/2021, 9:25:20.189 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dcb24b0-787b-4620-a161-f51dfc699f33,"4/16/2021, 9:25:20.189 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03057e01-30c7-4083-86d5-196bd9e74938,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3332 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38609e7-ff76-43fc-8592-91e2e7b9fac2,"4/16/2021, 9:25:20.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5276 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e18943-25e4-4498-b95d-275520c58f83,"4/16/2021, 9:25:20.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4584 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,7603904d-095b-414c-b09e-095e28da9e94,"4/16/2021, 9:25:23.375 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 184 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8900721c-23d6-411e-b6ec-26560f802338,"4/16/2021, 9:25:23.375 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8088 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,39422181-2823-406c-8f71-a941405cbe45,"4/16/2021, 9:25:23.375 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5416 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8d10ded9-e0ac-412a-8d4c-2c38f98ed6ac,"4/16/2021, 9:25:23.375 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2df7dc76-2afe-4cfc-93f0-b67c6367de8a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41abd6a8-7d05-4c33-afd7-665a834573ed,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1346ee46-7cae-4967-844d-d54128993c7f,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3238f2ad-c371-4e7e-85c3-38938c519662,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,609ee5a9-2c50-4c7f-a5ef-0166a31b2891,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a756b7c2-cbae-4b45-8d67-d5f79a845fb6,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f11fcd6-f501-430f-869c-622d9ff3ae37,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89ab9ebb-8c97-41bf-b287-ebbc038cbe31,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14f99c1f-d122-4e75-9150-acb1768fde86,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30692b59-13c2-4e69-b8a7-f88ba0c3bcc7,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4197e6cb-896b-4d8b-be26-6747f296cb02,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deb26f1f-e322-4b5b-8a4d-565c94fbb37a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf82fc8-e699-42a1-94d0-d039607f7a53,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3d9e059-5718-4682-9434-0ec3656f8d0a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad23ddcb-cab1-43b6-b03e-d342cfdad967,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94dba182-8111-4847-8055-4e6931cf0ee2,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa0f5c4-1e01-4b99-b24b-35a8299e2dbc,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc949c11-6b8f-4786-916f-b0aeb4f7dfed,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5a0826b-4edc-4b2d-a4d9-4a35a46f4020,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0888c875-f534-4bde-ab8f-8ffcb3b22eb9,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3936790-8f25-4b00-8651-9dc66ba289dd,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52e0be25-b4dd-4f33-bf47-da2983f5b2f2,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad4c46af-9604-41ac-a139-8598bc23a16a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b42dd534-787a-4448-aa65-01d9c702d4f0,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ab4022a-3bc5-4ee0-86e2-587ab3fff0b0,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecbc9bc7-6e0b-4a29-b784-e75ffacbace5,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f7ee02b-6bd0-42ab-acae-c24039df8973,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b10f933e-7352-4989-acdb-4a5c4f5bf2e2,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,650ec794-2cc5-4fa6-88db-c03c5d905443,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b10fcb6-1b8c-4d54-bf9f-d5f6e9dad8dc,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56abf1c9-adb5-4799-af8f-97cf11ccbdd4,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\LOGMEINREMOTEUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc04d2c9-9b6f-4268-9965-3400b21441a6,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a196948-7258-41fe-bf26-c57fc7ba2706,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d20b82-88c7-4fb2-a91f-cf8bcef921ba,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4092b51-74c3-40f0-872a-12e0413deec5,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c1cfab-d5f2-4e79-9b3e-24cbcda04bad,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,164af097-4c86-477d-becf-7419ee65d19c,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a59a809-232b-4361-aa69-eb155b1397fc,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0d7d70b-30e7-40bc-94cd-bfe2784d8fa4,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6785aff-5fe6-4754-811a-9847ca46e94b,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebc7ff07-7fd1-4dcc-aecc-7f5e17a3864e,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1513a68f-0c17-4d93-96ea-06099722798d,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa827aac-2a08-4519-a552-cf4a1b3e059f,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28281e45-e363-4512-8b23-d891c1b6a19d,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,659165cf-1553-4de9-900c-8e1e9ef2e1d5,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7ddc4eb-37af-4980-8927-7db630de0c08,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1701c183-9c28-4d74-b41f-15c0ce4da93a,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,733da87a-8b8e-4dba-a55e-ca68041c6d9c,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8db65a34-5c05-4bc6-a7e7-2ba6e3a0b08c,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4f9cd191-3f36-4aa3-8274-df5a6993e228,"4/16/2021, 9:25:31.875 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x241aecdf + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3407f5a4-546a-4968-abfe-52f123cfbf06,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e8ae498a-255c-4ab9-ac56-890e9480012d,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0880baf7-e43d-4caa-b334-e7adb5b75210,"4/16/2021, 9:25:31.875 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,21b1be9a-dadc-4801-b828-306d9bcd1352,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,60b1fa3d-29e4-4698-a705-0c25b4ac8c48,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6936 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e6a8516-8c0d-47bb-8909-05fd14bf12c2,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,70b3690b-dfce-4eeb-989c-ba6e3ff1253b,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2744 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bc551cb0-7c0a-4298-9bc2-4e506d20db87,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0da2d8d3-d9c8-4b86-b9d9-3c755bae274e,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ca38732-aa1a-4d9c-9972-2dd523b3dcf8,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11000 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,866ebd74-31c5-464d-91bf-3ed41db99747,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9580 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,25035cf0-bb87-4258-b128-ac8316dabf0c,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d19d6df-4ba6-468b-b887-0390221a7883,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8864 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bcd6a9b0-cc48-434b-a0b9-79920efaeab2,"4/16/2021, 9:25:31.630 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf34975a-c72e-45ab-8bd3-4a774d7951bf,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beab2cf9-dad0-420c-aefa-0b72b55d289f,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a9137ef-633c-4c34-a608-9444d6f8cb6a,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,555cb236-5b53-4775-aaba-52602b1d08fb,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58d49397-6b5a-4ca3-b781-5739984c6757,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36f10b3-e111-4833-a8aa-c6830d2c3176,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d869f36-09d9-4e15-a18f-dfffb769eac1,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f221f6-ff65-45f3-b5b1-824959672142,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f6ef144-560b-4c52-ac1b-4671a63100e8,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed887fe-52c8-4b74-a897-4ff2375ca365,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f546fac1-0917-4c72-ad1a-b14bd5f4c1eb,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,112b6d7a-fadd-4142-b998-080f0a6cbb37,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,d9e489ed-584c-4b18-ba7e-5bba9f8ff199,"4/16/2021, 9:25:33.132 AM",,,,,,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,503fd2ba-8e21-42de-b2e8-d6930c42f187,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9127e60e-7cf9-4f6d-a7e5-09d5a694e74e,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,364fd9c7-eb90-46d6-8d73-df254a244806,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8360b183-9d67-4d23-8d70-a8049af9bff0,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edab3bab-cf7e-40df-b417-f29922168895,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7048b08-5919-413c-87e2-209fb1977e0d,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c39535-fe2e-4083-8d89-1cd20ee791a2,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c587ba9-14de-45d8-b5df-c378de858778,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ea330d9-a55b-4ba1-93ec-8e2f880c3182,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e63402a-c745-470f-8cb1-f2a80341cc04,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e654faa-d50c-447d-b685-8e7def6a1399,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf742e7-a854-491e-bde9-1104b30ac381,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4007f0f-dfb8-4532-b5fd-16068173d75b,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,467e87d2-1688-4b27-a225-40eebdb45c73,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\DANIEL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b0367fa-5f8b-4ce2-a349-397df545f0fc,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b449ea06-9c33-4b89-b03f-b6939404220a,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,705b69c3-c4d1-419f-bd2b-7f90738ccf3b,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d92e869-fb15-4418-9d9f-39723ab941b0,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e25d4c6b-4aa3-4c32-9075-cbce633d2d67,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b55343a-876a-4c77-8a07-9d342c21d26d,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\CONSOLE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbe036d1-c76e-4f28-9d4f-3421b0f23211,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e45d6000-f98c-41e3-a3c8-31c330ba05b0,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3c345b5-e2bd-4916-8c73-2730fe7555a5,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92b02da9-01f4-4a6e-9d9d-de477f026294,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1460af8-85e3-47de-b510-e4cebffe594b,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8372857f-a6e4-451e-9bf0-ed8935062f9c,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12608c7e-c2bc-4cc7-9718-fb6f60a3f8a3,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5758586-697f-44dc-92c0-b0ae647d200c,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e04256a-cfd1-4920-91b4-247286d79598,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,914875b6-cf63-4f97-82be-e07967de96fc,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\VOLKADOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57e051cd-9605-47f8-9571-33b5305a467c,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab495e0c-0ad5-4afe-b954-f4867915b0b4,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d37fc859-d32d-478b-ab81-2d2a4186c0e3,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c306298-0ea4-4aee-bb3b-2de3424fbd82,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1151fa3b-b826-40f7-bfcc-ec5956969d60,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9fbea6b-b429-4eb5-bb17-48d7760c1222,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07822e8a-1da6-43df-8cb3-ac8cc89d2b6c,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e1413b-c11b-4504-bbcd-efc7abba4d91,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c62f47dc-81a4-4d2d-ab7d-ccc0f482b946,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a799854-ac55-4fd7-bce7-a0387bfafcf2,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,781c81b0-69df-4959-a930-d697a4402a74,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\MYPC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73c45aa9-16fb-4d70-a855-c0fb876956d7,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b4b5850-db80-4b5c-95fb-aca792a1d295,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12427082-96c0-460e-8b5b-648f792607d0,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b10110f7-5a19-4a19-9b08-30e0fd296d94,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,897980c7-d4a9-474a-bf81-52138f25b83c,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b39caf9-5974-41e2-b027-8ea7acfc49e7,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e540ea86-f472-46e4-b556-ddb8e7b27c92,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\INFORMATICA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e47d50e4-6554-49ec-8515-bd4a7c379777,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07bb0a80-622d-422c-b444-0300fdd808b4,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a6bffe9-45cf-4c8e-89c9-0f6a455bb44d,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e0945c-2143-4039-914a-675377cac317,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64761e45-096d-4aa4-bb12-beb52d9a47ff,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7483a8cb-b085-42aa-9a05-974d1ee04632,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a15f039-8e67-450e-8548-20cadc4ab5b6,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4857efc8-d47b-4ac1-8447-d2f03623a117,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50c32910-ffdf-4cc2-83d9-0451158189c8,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79a3cb72-cef3-4154-8865-f734117fa191,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f783b1f-ec63-4c8c-a574-aeb3a485a487,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8450122a-abd6-4df3-8801-c11b9a811954,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de443f9f-ffa2-46bd-9398-cc480d9e4f61,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa45d37-b420-4134-93a2-3c7c5469795f,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57ef7755-27ea-4019-b544-9e1284ce9289,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bae2057-225f-4efa-b681-dffd81e2384b,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,475a4ce2-4b91-425f-aaee-395628f16044,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e757160e-a0a3-49d2-8993-14fe39723740,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ade45465-c4a5-4fb3-8781-b4fb6b20e3b1,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e643c2a-3649-4e82-8662-4b3b475fac64,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b141151d-07a9-4dba-b0c6-549ac41f1b5b,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c016f352-073d-41b7-99bb-8b5e979a1a4a,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa5f94d-556d-426e-915e-88b8a6ec9e12,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb694a3e-6146-4616-91f5-0cd5ea5bea22,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f7f1836-9d6c-4894-ba5d-3b55524f7123,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,876c29ce-42cf-438f-b910-22ae754cf264,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fdea6ab-57b3-47f5-8070-f1c2efe16150,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dcdca5d-5821-4a43-a657-039465a04369,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b8d416-8e03-4238-9dc4-41ccb371d395,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83271d5-8254-40ac-bfab-d6b7bd75ed73,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fce4d877-097c-4036-bd0c-bd9c92d7c40f,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcf1890d-9b1f-4389-bf88-f744d84ced38,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a9fa97c-bf62-47c7-a8a7-1a85b21782d9,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f945ffd-ae97-4510-b0a6-992104770b23,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2965e364-9b9b-42fa-9ed5-dbfcde8414be,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa9e3b90-5fb2-4c44-af6a-7fa8055e3d21,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26785983-6b34-4c2b-a7bf-74f5f82a4463,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0bcf481f-5e45-487e-aa87-8765b234bfd7,"4/16/2021, 9:25:48.412 AM",,,,,,, +\TUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5e7202e3-8581-4e2c-a362-1299bd8fc9a6,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8e43aea-c425-4f72-ac72-71f55647268a,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\LABORATORIO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,349c70f6-0f7d-494b-8b68-29a7be9bf985,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ae81b700-479b-4f49-bdad-12ab8b551796,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\USER6,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4b4a8a8e-1b2f-4d2a-ad6e-6332f48c1d49,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f3967c5e-29b3-4f04-8272-c2229929ce6f,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9cab5ad5-a3e5-4df7-a542-75b77d2df935,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1284 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6dbf87bd-abc6-48ce-ad18-fc959ae0d70b,"4/16/2021, 9:25:52.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,df3a53a4-95d0-439f-a026-6bd63347b7b7,"4/16/2021, 9:25:52.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5f3c2314-a3c8-4abb-986f-fc5e15f962cf,"4/16/2021, 9:25:52.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c2ded62c-21d9-44d5-bc54-37f6cab557d9,"4/16/2021, 9:25:52.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e8c13d4d-da9a-4dba-8ee4-f31f98ef8632,"4/16/2021, 9:25:52.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,099835ff-aea7-4db0-8db2-d9f94e4eaf88,"4/16/2021, 9:25:52.745 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3f50a947-ac5b-4085-8d73-793d55069198,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,45d5a5b1-3948-4d75-a1c8-f1aab1bf0677,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98a91497-52a3-4733-b6af-922facfe1625,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,017b0872-4648-4316-8931-c566c33523c5,"4/16/2021, 9:25:53.069 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fe1c67a2-86a1-4ff9-b149-f784b3029de1,"4/16/2021, 9:25:53.069 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5333136f-e46a-4f98-afd4-4f0260049629,"4/16/2021, 9:25:53.069 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\AdvancedInstallers + 0x564 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3b270ae5-bd4b-42e4-a474-4794580804e9,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\AdvancedInstallers + 0x564 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,898c28d4-63b8-4ca4-b971-291125338eb7,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Boot + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,419e9731-6e3e-4576-b544-5c2f37bcfa51,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Boot + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,7e39cbe8-afec-4fe4-acbd-84abb1c60d4f,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Bthprops + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,7aed098f-b8ae-4715-834a-0e11866a4c6f,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Bthprops + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,e1486621-f325-4c8f-892a-3da672093082,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\en-US\Licenses + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,83eea122-5df4-4ca7-8d35-0ee0e4c46e9a,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\en-US\Licenses + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a4b0217c-acf5-432c-a397-97863e3c4d29,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\icsxml + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,cf6ee625-b953-4205-9233-436036ee652d,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\icsxml + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,dd2e582a-f2bd-4409-a17d-9acf9ab47ed9,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\PointOfService\ProtocolProviders + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3ba3329e-ecaf-423b-8c9a-c3bf05ce1d6f,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\PointOfService\ProtocolProviders + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d1e14c4e-38ab-4fb0-ba4c-3e9445643d7b,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\ProximityToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,40c8da6a-e027-48d9-90ff-8e88937bbb71,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\ProximityToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d89188c3-3363-4739-9bfd-5f4426b72b78,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\RasToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8925a584-0d99-45e3-9b4f-75ff4620b64a,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\RasToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8597f54f-9fee-48f6-8cfb-544de8b829e9,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SecureBootUpdates + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,fecae592-5c83-4aef-8b31-e34d4eb20497,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SecureBootUpdates + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,51ad5050-b120-475f-9da6-498799f34cda,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\Common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,fc268b67-8c71-4af9-976d-27241d7734d3,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\Common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,1e55dd4e-7d20-483e-b661-c3f23afdddbe,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\SpeechUX + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,268398b8-9a58-48f8-bebe-25f9362d44dc,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\SpeechUX + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d15a3da5-2037-4632-803d-696a00d31e54,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2428e243-dbaf-4e8f-a7c1-2da281144e27,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,c2fd818d-a4b0-4bb6-8116-ecd3b361e974,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\VoiceActivation + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,9951ec69-7e12-4a32-8f8e-9c3b6c0281d0,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\VoiceActivation + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3500198d-b519-49f3-a5e8-adee9dfa9a64,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4bcf9ca6-6394-4e53-be71-5a9b1cfc9b30,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,45c0e16a-9de8-4453-8862-9d3df6825a18,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform\en-US + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2d39bb84-d988-4bf9-8291-64a55d371cdb,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform\en-US + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4bc3de1c-b8af-4773-8083-8f7cef650758,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\WinMetadata + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,12a87c3a-062f-45ba-a007-9d4d7eaec513,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\WinMetadata + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4abc7952-26dd-4bc8-ae33-6540998999e2,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fc207d6e-ff7b-4282-bbe8-95077856360e,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d2286031-ed14-4bcc-850d-40371decea14,"4/16/2021, 9:25:53.069 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22603e74-720b-4545-b723-853dba3c75f1,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eac0c7e7-28b4-4b03-867c-a4d2e3e8e367,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f1495a7-af90-4ae9-ae26-23bad08f0d1a,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79604098-71e3-4154-a9d1-ec0c1a5fb38c,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\COPIER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7399afa9-186d-46ef-947d-84fd86d4a714,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d04b61b-55d9-4a2b-a121-f196d95c8704,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,727c7216-8b70-4300-8df5-25eb56a94480,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fc222ee-4dd1-4db0-8857-0c47bcb7d949,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7197ceec-304b-4a01-9345-bdfbe53e5e1e,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f55a17d-b855-46a4-9372-a0e076282ef5,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a348c376-0a16-4bd9-838f-a338bad5f2b7,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13587ca4-8831-4778-8dcf-ed08512cf4b7,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948cfdc5-f214-49de-a661-f620bd43da5b,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44c39e7e-10b1-4558-92b3-f12fcc33a5d7,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,035c1b18-98dc-4356-880e-1ae3d28a184a,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e8a94d5-f304-44db-92e4-58b1ea55a547,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25640601-741b-4e20-a6a0-0f6356c0937c,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd15f11a-9628-4342-80b8-8711ef5bca0b,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dacdd2de-309f-4a71-9f4c-16a420469f67,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2b89346-0d22-49b9-aa0d-057ee20ab373,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\123,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae9dc8c3-3e4b-4fb2-9570-0d8222cfaeeb,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6db0462-c272-4b42-9d4f-963242f4f932,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5556c423-6484-483b-ade8-516fa3789be1,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31476bd7-8478-4b19-b86a-3b49029712ea,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c83b776-7ba4-4daa-bceb-9090bb765f73,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60b1ada3-7628-4b3f-9d95-1ad104251cdc,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6401bf3c-a675-4b3b-ac6f-709ad88628fa,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b5b3cd7-7778-444e-ae86-628e71b03674,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c85aa7a-e1c1-439c-9db0-392fed9f0c53,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52b7e02a-7a74-4317-80f8-8c7cce81ef8f,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3775e86-70c3-4f39-92fa-e269db113c94,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a33e42a-e9e1-4f93-9eff-7d8d213db06c,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d971fa-a9b7-43c0-873b-de582802ce3f,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd9333a3-1bf7-48db-a650-b2a699d4d318,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a55ba092-cef2-42c5-b684-2e91cf9a8995,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e24ecf27-e563-4435-96f5-afb7c4415641,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaae7bff-bcc0-47d4-af99-0743f8d5fe98,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c20c8c34-6bfa-4bb2-b05d-b3e84bd466ac,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3625110b-23ce-4d91-aa84-4d7137918dc1,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c335fe1a-77a4-4115-a6f2-e3a06a8f3da8,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21ff087f-7d41-49db-90ef-588b00c454fe,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20d5f37-f806-4fae-b6fe-38727055981a,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b73d15f-310a-44da-bae0-ec14006ec99e,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605c7280-f671-4e9f-92cb-f79ffe4f0256,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde369d2-f5a2-4a7c-8050-d44c28f70f8b,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,848b7b0c-6d35-47a5-9a3d-37e8e71dc26e,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77f05db0-6654-46bc-a350-16ae6baa2c12,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a0ef64-fcf1-4ea2-b794-256b1991faa4,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8f6f168-7ee1-4222-94fb-f790eaf3d311,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8824d1d8-e835-46b1-957a-9d1d89a38f9f,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5950a8bc-40c5-422b-a45b-b80a13b04096,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3ea4a8-eefb-45d2-8032-7c97ec4d116c,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f6e34e-715d-462b-b4bc-ab0b96bca03f,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1313f3b1-f908-490a-a7aa-b9eb42cfdd91,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d44a2564-dd95-4f47-a099-1a2b71b3e990,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97f47f37-c692-4eae-86cb-0e4a8428ad6b,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ef5c91e-f8d0-4b2b-b9cb-8d70bf4e11af,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e682b6c-44ef-4dc6-8aad-be67be7a8a5e,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,428299fe-c62d-41bf-b43d-165bdcb98bb2,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee9bd78-593d-4d93-b604-35dbff3842f9,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,723ca371-53d2-4a45-b0fe-1d79411c1b8e,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,458de3a7-d995-4afb-bf98-c39bd78ec5a6,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1fa122b-e5b6-41b4-a8b7-fe3a63bbca2c,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8536354-72a6-47df-9024-d79dc7c0876c,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2aa8792b-1654-458f-a434-089a5c076093,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,824909d2-14cf-42c9-81d6-02d6acea7f44,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b970d4-dc8a-46c8-b266-e114056e9ad7,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0758c73c-b43e-439b-9021-7757f70f8e0b,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd16ade4-b4a4-4a97-ada8-b8a6656c2ecc,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e024b13e-5e00-49f3-84ff-3c9c0e285e3a,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c50e370e-4808-4b32-9494-7c7a43f07ed8,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba7052c2-d4f8-4cc7-bae0-d1ec0870cc2e,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbda7668-6074-4f17-8cf0-5719bd366891,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87097bdd-a972-4817-be63-2ec89bbe7525,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,719cf390-f022-4424-af0a-a2804a75bee3,"4/16/2021, 9:26:02.778 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d64ab8b6-f169-4216-8751-fb1501d544cd,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d9bf1d5-fa1c-4ec5-9549-408c06712591,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a559f041-ff60-4b2c-a147-ffe2abd052fe,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\JJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d64af410-bcb8-46b2-ba99-135378f8f4ff,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c121d03-6618-4eed-b15a-248489772743,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64a28ffc-2833-45f5-ad34-a9bb431740b9,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e8ca846-81d3-45cc-8da4-2942e8674071,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1906f2cd-fddf-4fc9-a925-be94cea23df0,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22ad6068-a0ab-4734-917a-05c6cc8aec4a,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28bdd031-7951-47f6-9b81-60bbdb5848c4,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00fc5c39-f80e-42c9-8b3f-42272af01b86,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4aabe8e6-3c04-4e26-bebf-57ae643f3c3e,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e27dd538-b8e9-47b8-a1a2-b33f10c4350f,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5c916eb-a6c0-4606-9727-746f7b53e34d,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eac257a8-5f4f-431f-af8c-fd11f4702d44,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\RECEPCION,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93c97ba9-44de-4d36-8216-d4777396943a,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,937d1fad-e3a9-493b-9c6d-18a10355aa78,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,277b372f-b808-42d5-b5dc-896905f6356a,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a9dec70-49ea-4db5-b4d0-37fae998fe21,"4/16/2021, 9:26:02.778 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93014925-37ef-4a3f-98c5-4c0bc71b5ad6,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e70167b-f8ed-49da-96ea-136c7e5861db,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b17774-28a3-4052-b164-0c30f1339c73,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,003304f4-f6d8-4574-b114-a55d10d9679d,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b632e20-03d1-479f-8779-bda8544fab81,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14f635bc-d83b-4a7d-8898-78fe8f5a8b70,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ac41692-969c-43a9-a598-b9bffa181f9f,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2472b592-811a-4fc5-ac7f-3b0e560d87fa,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f292afb8-1515-4c87-a5d0-eb2eb44fe473,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,362e6d07-2ac4-49e1-a157-7b6f0dc1d9ae,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c3b1314-a77a-4c1e-9e4e-c4db84057c41,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,423f29b2-1a6a-4924-ba9f-a130ab0b8b05,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53f212d0-8db5-4173-a4b0-fdd20c8bc8c3,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87cb9aa8-8009-4bb1-80dd-949557534208,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46dc8200-c27c-488d-bb03-8b8a0344b056,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ddad0a-f5e1-4ef2-b7e1-f6615cd818c2,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a2d445-c8c8-4857-b2bf-4160c5b7eb38,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4427b7a-1470-4a8b-9fbf-56457e8a4134,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a99bc6a1-8406-4bc3-92d1-98777652bfeb,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d12500fc-3b16-4105-9173-39decf39e359,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1f7fd07-7ed6-416a-8739-8e0f381dd725,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22bd033c-1fec-460a-89f0-1a6f0396f149,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4377afa9-4fc9-4a8f-97a8-baaf9412f977,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff3ec0b0-392c-4f88-9e78-5c73c988be9c,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b86aea9-d3f9-424d-9ed5-f07e1b9c878a,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4c17bc2-cc29-457c-ae2d-31434fa87b54,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c321213-f79b-493e-96f5-3e507adf7801,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0b3b4f9-cca2-457b-9e5a-3d41be6508e9,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b5b0845-e0df-468b-ac4b-67eb61814d43,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\ACQUISTI,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,298ff602-1e08-461c-af62-05f35392b5e3,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f653db3a-e0b1-4078-93f2-da9eb07e3485,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a9ab785-22ed-47ba-8c8a-65aef4ea2c4b,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2925fc4c-08a0-413c-b165-ca167ecc50d2,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d801a639-b890-46d7-90b7-bdbebb418c3f,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,049ff3e4-1952-41eb-8c38-ed9a3e33efcb,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0770acaf-ba8a-4224-9bf0-1d9d333ece53,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc6fd2fc-c1d7-4d34-8379-b566e3c837c4,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1440256f-aeef-4dd6-b694-e206a16b335b,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76714c6f-eedb-41ad-a7c4-da9c3e1c356c,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27705ac1-ba0e-44bf-8ccc-10243f26b22c,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acbd1c1-9011-435d-9aae-c85443a241ad,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\SHOP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78b10b25-f099-4085-8bf3-5a0cd5923a05,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc7342e1-7ad0-4947-885e-03d76f176243,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65eb202f-5e1e-495e-90d5-c9246af314a4,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfe81b6c-753e-4ec7-83e2-3bf1fd83effb,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\PAYROLL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48948200-d1e8-4774-a104-f9f42418bc7a,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\INTERN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e042367-28c7-4fd7-b246-218c6cb69e4b,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1cd941e2-a529-43c7-b097-ca491dc18a14,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\MYPC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,14846944-5720-4ba8-8588-9d36bcb30110,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\SARA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c557a717-1487-4fb1-bc80-18b8373c160c,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,02633e0a-fd37-4fe0-a527-890ce48ba28c,"4/16/2021, 9:26:20.428 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6342ace-72e3-49dc-b056-f1681bbe904c,"4/16/2021, 9:26:20.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 932 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b99d5e92-7e7b-414a-93ae-a34213ca1a94,"4/16/2021, 9:26:20.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4320 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4fa98d83-7e2e-4d6c-9434-0cf4001d915b,"4/16/2021, 9:26:20.428 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,120b295b-b141-4dc0-a98e-677b0ebf45c1,"4/16/2021, 9:26:20.428 AM",,,,,,, +\FTP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca8ad36c-598c-4979-9559-60eb16c5cbac,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89584742-a3b9-4584-a072-5df2ff23245d,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c31f67a2-57f3-4da4-a931-537b5544aff0,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b9e65c0-ca03-463c-a7ce-14f1e66bba19,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbe82b9-2b45-46a3-a263-a9768fa720cb,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c2b46dc-c413-42b2-96c1-e347294207e5,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cfd8cda-a77e-4613-95bc-456c84993a82,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36d2046-0499-4edb-bfa0-9927b1c6637b,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15e81491-05a3-4909-855d-8e2ec26f449e,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b454dd9d-9080-436b-9040-dacd87833fc7,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2418e56-616c-4f19-bcf8-8a78bc41a615,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4fec3df-c3c8-4bed-b022-2a914e4ef409,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38d92e50-0b83-4525-805c-08000331f980,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bf7ff37-dd10-4830-b928-d66443c4cb12,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fb0c0c8-51e3-400c-ae19-e1a206398414,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbdee290-66b2-462d-8ab9-4613d5ea9870,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99fa7b4a-1b16-4825-8ea9-f36a2f102751,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd249d06-8df1-47b8-bfc5-615231e87846,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9b310aa-0a46-4662-ba98-837c91f65efa,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c4bfb08-fe7b-4c39-89bf-a14c6fcef41c,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b5992ee-85ae-4ca2-ac52-f7d316733144,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cb42192-be4d-4378-b16b-9f0f3ecf89c6,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c782ebb0-8f37-4b98-9d2e-5de2da20595f,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b5f52417-9ff9-4468-94b5-ecc1a63ccff2,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b8f23617-3c60-4ce4-a3b3-5d0e345f5e3b,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1371b498-d211-45f1-a4b9-3cea924cbf0c,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1462616-7bc7-43af-a824-9e9b6aa566e2,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,30ba4a7a-0d17-4854-8da0-cd68eccbd3bb,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b7be24c-b646-417b-941e-62c193e9e8f8,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d68d4232-c167-4fc9-809a-92b78ee838ed,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,87b69702-56c7-468c-bc09-653bb59276b4,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ce112dc3-4777-4486-b32d-4772f2386a2c,"4/16/2021, 9:26:24.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\AdvancedInstallers + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,167c3253-e12d-4765-8b68-9084fe750c83,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\AdvancedInstallers + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,1d370b77-ef10-4e2f-8d73-e27b0c3a3d94,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Bthprops + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,24de0c24-610c-4c24-8760-6b7c374ab263,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Bthprops + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3be45df3-da3d-4ea8-8b3e-644bab8ea6f5,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\en-US\Licenses + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8cb58344-2938-42f9-a52d-e993367d885e,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\en-US\Licenses + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,e88a9b7c-fc50-4d66-80ba-9c193bfaf3f9,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\icsxml + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,b21a3f3f-5823-44cb-9cde-de49151c2b03,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\icsxml + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,48e0ca9a-1fb8-41a7-a84e-efe4a060d891,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\RasToast + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,081ffbbc-fcad-4fe8-9f88-e9a53578f840,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\RasToast + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,0bdbcea1-a28a-4449-ab4c-a8a466ecb859,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8e7966c0-4db6-4802-9419-fa3c500d0d36,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,dea0e7f8-507d-489c-8ce3-1da4154fde05,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\SpeechUX + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d8a7e12f-9054-43ee-87da-69990bbcbf2b,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\SpeechUX + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,95cba4c5-dfa3-4222-a681-707ed8999fdd,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,10a54d90-e674-4caf-ba46-5ec1cc46b93e,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3f35e70c-3ad7-48e2-8f75-43f20b1cfe6f,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\VoiceActivation + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,aaf8b242-2287-45f0-9935-cbd889394889,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\VoiceActivation + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,e58a54a5-b2b1-461b-bb34-2fadc1783383,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1195916c-0bd5-4f53-8b4f-b93c63f8c2a0,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,426b2246-31ca-4f2b-8669-b0e709f759ed,"4/16/2021, 9:26:24.068 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ab6794-9e60-47c4-b6c3-5a7b94b7f0ee,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74700258-0bb5-46cc-8bca-d02bbffa9411,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e08ee63b-f59f-42e5-bb9e-70f42afeda2a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9ffa91-242c-42b2-8f74-9a98ceefac93,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7ee3646-6d11-4d21-b56e-1f76820d7ed0,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f6b2d14-8a81-48f5-85af-f5a366406d51,"4/16/2021, 9:26:23.144 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a0ad63-b4af-4727-8a95-949d1358cb19,"4/16/2021, 9:26:23.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a6ac6c5-83b8-4238-a51b-8a2cb68f4375,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe245d8-e2dc-49f4-a3d9-d328db01a4f3,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d603ea-4451-4f62-8ad7-82ab9b6284ce,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26bcb6b9-4e7d-476d-8ff6-856566aa627b,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5f5f1e-f1e1-4aa6-b884-10f5307de17d,"4/16/2021, 9:26:23.144 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,73d8e674-33fe-48e8-9004-becd8d088b55,"4/16/2021, 9:26:23.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76438a34-11c1-490d-b456-52d37653496f,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23c9e9e9-2a65-4429-8887-e25e5498bf40,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16fcbebb-08cf-4d63-bd4d-db14af31c009,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,635858b2-1f88-4aa9-a21c-c39d50cb7a4b,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eff2046e-1b44-419e-a70f-1338e073b4fc,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3a67197-7615-4362-9092-f7effa12b38a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82505cbb-035d-4a3f-90e1-be239d683b4a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f9da335-1134-4b69-9011-2af94a6df2bd,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5751f2a4-cd42-4b13-801c-b54780eedeb7,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9192404e-b13e-4435-a8b1-eb436708d70a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c783b597-8add-4be3-8599-5d6163099bd1,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6c75e7e-8d14-42c1-a6b1-dc5e211ee536,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90159251-d2d0-47e9-96f8-7bbee023d9cd,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccdbbc00-bcc4-4f69-8caa-eca6e1887c0c,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cae78b96-29d7-4db8-a950-9b79c1d7793e,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b0b0a78-46dc-489e-8f87-f3bdbce0d4c2,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b9f8717-2c63-44fb-ad0d-060d2a30b78e,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d836261-d208-4b2e-804e-899c2378b2a0,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,369a39e4-b83c-4303-b280-dbb9ff354dde,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cadfc15a-04c9-4b86-b8ae-118a68085f23,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f41c65d3-9b87-433a-a700-baba68236bfa,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ae1694f-138e-456d-92ac-8388e6e700c8,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fbeebb0-feaf-4d99-82ef-c3e663819c01,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33c84835-307f-4c1f-8a06-676d206066c4,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b771b23-05a2-4cdb-af30-58c2b44bd018,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50378dda-bdf6-4f27-a75e-b3cdc6ff1ea9,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60c138d9-827c-4301-ab28-c9003c534a68,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\TECH,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3604e157-01e6-4374-b641-f9bf20d86a45,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62963cc1-b1eb-4f30-a2e9-85b54c9a56fa,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f511115f-8eaf-4d2e-890a-7436e6ed010b,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b378e552-ebda-4f3c-9526-53c19922832f,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d588936-9c4f-4a7d-9329-fff8ff0669d4,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e8d280-3586-4d46-bb13-caa6db9c1ded,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c3485fb-d5bf-4e43-ade4-7e5ec0e49b9e,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Access Control Assistance Operators + Builtin + S-1-5-32-579 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,62c06b43-a249-4332-85ff-0828f9bf0d21,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,424fbff5-f93d-42fa-b9d9-e857cb6f329e,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,f05853ee-8cf6-4f46-a753-89e31b64bade,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Cryptographic Operators + Builtin + S-1-5-32-569 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,70a43e17-c9b6-4405-973e-028f9742814c,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Device Owners + Builtin + S-1-5-32-583 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,ee675371-cd82-4aec-a225-23708d331ca6,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Distributed COM Users + Builtin + S-1-5-32-562 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,a6e9b44b-7a55-40ba-9dcc-be2bf234ea0c,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Event Log Readers + Builtin + S-1-5-32-573 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,f1ad2a48-c023-4fd6-bbfb-edbc0e75aa04,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Guests + Builtin + S-1-5-32-546 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,722de269-3de4-4d87-9abe-fde0c9f77897,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Hyper-V Administrators + Builtin + S-1-5-32-578 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,cbc13d69-05ec-4524-ac79-b21431350467,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + IIS_IUSRS + Builtin + S-1-5-32-568 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,915beb9a-dd69-4e72-9bef-62dbbd3d4958,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Network Configuration Operators + Builtin + S-1-5-32-556 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d9c9b309-2878-44f7-9066-747a0baa75ba,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Performance Log Users + Builtin + S-1-5-32-559 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,7d68c10b-626e-48a4-96d6-78930fce9c6b,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Performance Monitor Users + Builtin + S-1-5-32-558 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d614edd1-cc55-4cbe-9b59-f9e9ece5619a,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Power Users + Builtin + S-1-5-32-547 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,aa5cac83-e307-405d-abff-5d728ce85942,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d255d0c2-fb45-4bd9-b695-0739afe0f160,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Management Users + Builtin + S-1-5-32-580 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,73abc14b-5d16-4b36-a6b8-90e2a925dfb5,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Replicator + Builtin + S-1-5-32-552 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,a5bde225-4e28-487f-9f05-d980e5e814ba,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + System Managed Accounts Group + Builtin + S-1-5-32-581 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,8a1a6eea-5c84-427a-bdf5-aa4e69d35794,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Users + Builtin + S-1-5-32-545 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,80632f6a-11f8-4726-af2d-9e387632c9fa,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,442a230f-280f-4cc4-969c-a77289740ee9,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,b5d440b6-732e-4c7f-ab6a-50444506873b,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a1f678ce-fd14-4be1-81ee-fc9250dfb29b,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,768939a1-3221-41ed-ad90-7d79257d825a,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5d01bfcc-b1a2-4246-a303-91c76d74df6a,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c37c72f7-b4bb-4d10-8437-a19f22bc2745,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c6df9076-b740-43ff-aa4a-515af534f4a9,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4c45c249-5321-4428-b8bf-669de3a22e2f,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,44d48648-2824-4d3b-93a0-64c3d32a7421,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6c6f3410-33da-4632-b8bf-760dcc1e419f,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fd94a196-1001-449d-b706-9b7d564399e2,"4/16/2021, 9:26:30.076 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,ebe67b85-8212-46a4-a86f-f8420466681d,"4/16/2021, 9:26:30.076 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ee06d0b2-6624-42ba-8a9e-9b9af25eeb37,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3c2dcf83-5ee6-4425-afa6-d7ede4e9169e,"4/16/2021, 9:26:30.076 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + WindowsLive:(token):name=02dfmnqdobgphxye;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:26:27.967223400Z + 31032 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,5dfe2cd4-1787-4d0e-a945-7d41382607fc,"4/16/2021, 9:26:30.076 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + WindowsLive:(cert):name=02dfmnqdobgphxye;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:26:27.967223400Z + 31032 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,bb26acdc-9cf1-4ce4-a6f0-6b54e573198b,"4/16/2021, 9:26:30.076 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + WindowsLive:target=virtualapp/didlogical + 0 + 1 + %%8100 + 0 + 2021-04-16T09:26:27.967223400Z + 31032 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b92f471a-52af-4081-bd9d-c277b4484cb5,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\Flighting\OneSettings\RefreshCache + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\wosc.dll,-602)</Source> <Author>$(@%systemroot%\system32\wosc.dll,-601)</Author> <Description>$(@%systemroot%\system32\wosc.dll,-603)</Description> <URI>\Microsoft\Windows\Flighting\OneSettings\RefreshCache</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;AU)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT273M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-16T09:56:28.049Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1H</RandomDelay> </TimeTrigger> <WnfStateChangeTrigger> <Enabled>true</Enabled> <StateName>7538BCA33A019502</StateName> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT5M</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <ComHandler> <ClassId>{E07647F7-AED2-48D9-9720-939BC24A8A3C}</ClassId> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,b24ffa38-18a6-40c6-af2f-8a5cd5f719b1,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,43160724-a2a4-4268-be3f-41f561a510f6,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cbe6edd7-5ac8-48ba-95b0-046493b8f4f9,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,34c9ff85-d8e9-4fd9-a281-801ff5c0e9fe,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2f355c70-eaed-49fc-a6a7-611beebadb0b,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,968186d3-f048-47b9-b926-6a6bcf5281c2,"4/16/2021, 9:26:30.076 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e26cd317-994d-4624-931e-5233d7249ce3,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a4147db-b181-4e95-91e7-1b7c217f001b,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae44bcc-691b-487e-8719-eb6bd2e112f5,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,869efce3-2f4f-4aa8-a6b4-d613101e1eb4,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba4d3625-242a-4aab-a9df-276ea988575e,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e91f9488-93e5-46c4-b31e-b6956fcfa77b,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4571e02a-060f-47e1-8584-a7aa01a147e2,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0fcc537-6263-417b-911d-3379ddecba83,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9269dbb0-be86-4465-9876-30a9a841cfea,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,199b7d7d-8b24-473c-a493-778982169797,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f0e78e1-94f9-44a3-b308-9723f361b20b,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e460e36-b6f2-4f36-9459-8196d8bc93da,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,897318c8-697e-4ad2-ad8d-103043c89fb9,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b6a174-f026-4a1e-b2e2-475dc7ed5636,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a69cb96-bfdb-4a40-91ff-6127b344fb62,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00a75128-958c-4c94-b2ec-c93bc45b19bf,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03e11532-5cf7-47b1-87b5-79185636591c,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53d4c0c2-e49d-4d4c-85cc-172a3d51f6a0,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d431c0a-beea-4c2c-b96f-da4d313f26b8,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53b7506d-7a79-4342-8ae5-f6818e5aac58,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df60341-3c82-483d-9708-11b36d7e198f,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,549c8ac7-8a3a-46a5-a01f-ba7e5b9affae,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66888e8f-1116-43c0-a919-da9c63281419,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,571bd420-4bc1-4b9a-8243-d5b593ed0c68,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c80328f-de99-477a-8ca6-10ce13487cde,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b436c9c1-f6f5-41c5-8637-34a07533cca1,"4/16/2021, 9:26:37.133 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8adde17-966f-482b-941d-6998af298c4b,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbd3f54a-a634-497d-a888-3df77a80a477,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b45f06f9-36a7-4481-ae79-4ce84348f80b,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,483d510d-bde0-4079-be20-0f97b255eeab,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d68367eb-e7c4-452c-ba05-36dcd6f175e4,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05780e0d-8e12-469a-9a50-227844dfb4a8,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30d82aed-fa76-4aae-a1d1-3d5770b1e326,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9977bf3f-a21a-459d-b9fb-33f424fa074e,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f95c418e-efb0-48a3-b741-6c842518a721,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f161ad38-be6e-4682-9576-ebf22adbe3ea,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aba157c7-3d62-4086-bd49-d369dd74eff0,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95f42d9c-4271-438c-9a60-1c694565354e,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8436e4b9-8040-47f2-aa2c-076da61911d2,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a97633-6bc8-482d-bb0e-75d3e9497f77,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56921cb1-d5e3-455f-af57-11284209ec40,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ab72eca-f1c0-4fa5-bc86-ff5e91312adb,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,342bf1e0-7f93-444f-a07e-452a4b870a58,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4bbebd0-9b61-416a-9ccf-8cf918f428b8,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59630c70-2613-482f-b047-9a0e15175e02,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5208b54-5b9b-4415-bdd9-6adfc8ec4ff8,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1e6c8a-36ca-45a3-8f69-e4e8009b1614,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d004cfdc-355a-4f7a-9c9e-2058dd98281a,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebca6d2d-f42f-463a-89a3-5b20b9bc7a4d,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11753b20-2ece-42b5-b135-08ee675bebee,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00bf7f9b-ce0b-40dc-9ac1-31c2f18f54dc,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,badffc56-940d-431d-9d21-986f18becbb1,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bce80726-d840-4ba4-9e24-bdaae7c64cb5,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5021e56c-9a97-4237-b918-5e44d6109e89,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31527faa-a36d-4f34-933f-47a04e78c9b3,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d776de5f-aa42-4344-bbd4-4ea7225feb3b,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2368495a-b1e0-4795-bdc0-bafaa347fdeb,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a86a928-fa27-4245-97a6-9ff7028fe00c,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,542f886a-2c60-476f-aa3b-b727c7af2320,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c83da1bd-2469-4627-903b-45101b82602a,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\ACCUEIL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a6454c8-2f9f-4f17-a7e2-57be6e737666,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8385bf38-eccf-4419-89dc-1fb20e77e63d,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1c9d3ff-9ae1-49ae-a9b1-ff3f6e508bf9,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3437392-8d8f-4c79-a347-3138f2032b08,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d20631cf-f295-4620-806e-2c46eeb47098,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67a0bab1-a73e-45e4-a63e-eee621c8baec,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be9f07d0-04c8-4cce-9440-eef4968e9b98,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6c51eb5-3159-4099-ab20-a4fe3d2c192c,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7170ff8-05e1-4002-8e70-f8c848117da7,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e439796f-26c3-43f0-80bb-3277dabb614f,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\CRLSALESZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8a4220-a822-41d7-90dc-f391685f3fab,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b48894e-0c7d-482b-b6c0-971456ccafe3,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,99d3a93f-e6b4-46c5-ba54-847b246e7140,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff2b612a-ae0d-42a2-aa03-0ce024fef268,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,da5edb59-7d39-4f61-acbf-942299656f44,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b885fa-b171-41ce-880f-fa9566a3d586,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9f1de0e-a0c2-49e9-86c1-13d31b70c5c6,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bf3044c-25d7-4e4c-bb7c-1e812cd323de,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e042fa-193a-451c-96d0-a6939d612113,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db62aeb-ee69-40d9-85c8-db94809cf51b,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,277d7367-7ef4-40f9-bc6d-c1c2c6086492,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4ae7e2b-b64a-45a1-b26e-4a3a72f16593,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa96f20-e6aa-4e81-be06-8731ce35f815,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7732ff-e755-49ce-9731-af2e33a6092c,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,58ee85f7-3742-4c25-a6e9-4edfad790d3f,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d61492f-bffe-41f1-b5ad-e9444ea932a9,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3536e18a-6d3a-44d1-97af-32cf11a6f94a,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,223f2eb5-23a9-427c-84a4-4d6613b7f41e,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,85192978-ea5d-4bc2-aac5-3051203a6bf4,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,6116f295-6b0b-4e2d-856f-7461f96a5094,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,796c06c5-57a3-41f5-b202-72c15209fa8f,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,a85637ec-c950-43ce-8920-a54d433da4a9,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ea501af-130f-4255-be68-317da61e2b25,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,da43f171-3c7e-4cbc-9ca5-8e3e4b96555d,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc6dff58-849a-4059-bacb-f4a39556e8b5,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,856434c5-4727-47e3-a31b-09d88c93b12d,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e467b45-8cd2-4534-b85c-6d9c0644474a,"4/16/2021, 9:26:41.141 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beba7231-5261-4d93-9b3d-0e85abefaf28,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b236a65a-a14f-4456-96c1-91916b2014b7,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8688 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e575cf6-c0e6-40cf-97b2-8b9ee1216a60,"4/16/2021, 9:26:41.141 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c1249f-de45-46ba-8a5e-6b6acfaf4c8f,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b33d1efa-960e-4e3e-b6e3-0a994e712498,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15b3f9a8-66a2-4045-af4c-7eb9fe75ddd9,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69cff757-18e7-48d6-a31f-829f2fe0fd94,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9865a3c1-e942-4df2-b37a-b840276eb2ea,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b259a476-ca8f-4efd-9dcb-ab4a496b66a0,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,86ce6717-a26c-40f5-b1ff-c2d5f873ee6e,"4/16/2021, 9:26:45.874 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9cd1b4da-f5a6-4a11-a504-819e1cedc19a,"4/16/2021, 9:26:45.874 AM","%%5649 ",0x2,-,-,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2e9654a-d919-4c3a-8eac-440c37e2082d,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f40e842-6688-44d0-94af-98a612c9ccf1,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39ada161-6951-4610-b9e1-d5c77a3d0643,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5ff5a91-2279-4554-845d-3b551ab4d26c,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1be62472-f45f-44ca-a2e4-cdccec1c2f65,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c0d285-5dfc-42ca-8099-457e11dca809,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74325cd5-4933-4eeb-8f05-2007e60566e2,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b15655-79bd-47ed-a9b5-6d7bca316bf5,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a126d541-25c8-4506-a36b-797709cbe162,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7413ed3-675f-4571-9593-e41f5ee44af3,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760a2984-d175-451c-ab9d-9e14cf07bafb,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb2fd33a-741b-4be4-8112-6cca4101a5bc,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9bb1504-7826-4129-848d-d05eb8e43265,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c942d0a0-2548-498a-b109-db2d3a14a423,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5199b902-ae33-4f10-b8f2-6cdcb98a7ba7,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db2f413c-930b-4f92-ba0b-58eacd406cb6,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6f23f51-7e7b-4447-a7d4-f2d9ac79833f,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4141c25-e85a-40c2-9cb2-d64561f07475,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c461c7c9-56af-4f74-9e75-386890fb7901,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c974c29-a3ea-4ffc-bcd7-2eeef72c5e54,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01031f70-63f5-4a9d-93d1-faaf4f2b605a,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0473ae2-d671-4014-9519-0d53f6cbdbad,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2268144-ebfa-4a93-a228-6e3c01df9883,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b7943df-2355-4753-a12a-13b539a2c2bd,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,eaabf254-897c-4d0f-9838-06d49fdfb1d4,"4/16/2021, 9:26:50.275 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11532 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,14d0f88a-bab1-4fce-ab66-22271d1ab577,"4/16/2021, 9:26:50.275 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fd0d9896-a3bd-4db5-a905-8d880d4fa1f4,"4/16/2021, 9:26:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,64b08386-6f4c-4ec3-8a79-810f07f0503e,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2172 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a2f82a2e-a855-4e75-9bff-a7887e2669d0,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e8c1a21a-35e9-4524-a679-6adb7d66f2c0,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5664 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,85db433f-7ba1-443b-81a4-0e60240e783e,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1272 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1b6b2e48-e685-455f-9420-90952963d5d4,"4/16/2021, 9:26:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dae3ac2d-8adc-4f49-bb4f-f7b4d2b2222d,"4/16/2021, 9:26:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af4ebfa1-b32c-46b6-85ce-cc1f0ce69e74,"4/16/2021, 9:26:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fd7caf0e-9bc3-47ce-aea2-25b7ee5978cf,"4/16/2021, 9:26:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a92aba75-1bb0-42ba-ad54-6fbc70d20e04,"4/16/2021, 9:26:46.725 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,471afeda-0fb8-44a0-a728-d3116d456f83,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6535fd4-c785-4281-9b84-1c87c0d631c1,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3639211c-8793-481a-a525-dd307725db4f,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbac3c18-a600-457c-8750-c1aa46bdc176,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5ca63b3-8019-428b-bc69-7d01e8c1579a,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ccd8a42-0ddd-4045-8edd-838df5540a54,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,053bd71a-9b06-478e-9ae4-20eb806d9c42,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c50cb1f7-cc9c-417a-a07c-65cda0f4f297,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,775e2f05-77e2-482a-a1de-5d819607698f,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55693c70-50c8-42ea-b4ba-608017e2a8b2,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d227ebee-dde3-4b99-be52-59b37d297bb3,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,862fdb0d-a832-4334-b555-aab2b3d01888,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9789c003-7c1e-4a31-8a24-24bbf9e28d41,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4079f67-fc4a-4a75-8e54-599206145895,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,545058bc-1b17-4f7a-928e-ed15bc450d62,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65e607d4-4942-44b8-9fae-7640e379653a,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,076d0824-4eb9-41d1-9cd0-9faf3525795b,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e9b291-0a98-49cc-b0d8-a3c4c917490c,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,502286f4-35f8-47aa-92cc-ce6b45a4fe64,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a0d15e0-bf32-4b32-91e9-c424edee167e,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b5f98b7-7f40-4c01-bab1-010d100e69cd,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfe08113-e530-4ce5-adf3-07b0668b0eae,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,181922ae-1056-4c75-bdc0-cffd303aa07f,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f532e13c-b5b3-4e2f-b279-98aa6f88e71a,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01013f9a-f515-4bca-8544-d0e4d33c26e1,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e865c895-419b-4c40-9ded-f57e88a823bc,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b783e77-3c05-49db-b6c5-2ebf96dceb72,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d689f27-53fa-448b-9fa5-76f9bdb13430,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dadec441-659b-4073-b72e-02e4f6e25604,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d941f01-f80c-40b1-a017-a7ea15a7405b,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,816b4bb5-4e46-451d-87b5-52d857e941dc,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,081735dc-89df-4f14-a108-a71936bc10f7,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d12ef10-06a0-4965-b3ac-fff211d785dd,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e25e7481-4455-4068-aaa6-533fff37f0d5,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9878af16-cd48-48cc-b40b-fffe6b2cbc56,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91686493-3bf9-4a63-ad51-2f48b68aa318,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69b5c5ef-ffae-4859-b351-f21df06814ea,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89189c80-7f73-4526-aca9-6b84c7f9414f,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b0c0d15-e023-4179-9d5c-94e1c82dfab7,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54a6d8d7-1d65-44cd-bac5-68da33f86a0e,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55610779-7061-4adc-910e-0952975756b9,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d58f16-4f1d-46be-aaa4-8d657234d24f,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,937563cc-3b9f-450e-b719-5de65b1514b7,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a51727-d70c-4a32-82c9-0ca92647a708,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f67cfc-8bb1-4f16-bd34-372991316681,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a0cf909-96be-45e5-a7cb-37aa4ada0ea9,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f82928f-83a4-4d42-bbff-58de96719c7c,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c00abc1-0229-44b4-914a-b13ac58f1919,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7e61e7d-b9f1-4610-8544-3f9f1acdbb14,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f4660cd7-b460-4c9b-851b-0f474178e3f6,"4/16/2021, 9:26:57.014 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1068 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2e880323-ccf3-4826-b48d-d31f15b63638,"4/16/2021, 9:26:57.014 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 11808 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D783370D0C3716126E1F2130E165DBCF9EA52A431FB5BF0AB5E3D9D3D479AC08 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.01 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ef2305c8-cf48-461a-a15f-17d72092ef73,"4/16/2021, 9:26:57.014 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 14648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,0f8a570a-09fd-4e7c-b01e-e746fc9ffc72,"4/16/2021, 9:26:57.014 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5612dee4-e925-440d-a02e-6ca34de3133f,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5e5ff400-6028-45c6-837b-9f6017821333,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\STORES,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9f58e60c-a9f5-4639-adda-35e0f275da99,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\PAUL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c613a18-3167-4769-afbf-59fa56f35fcb,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,640000e1-f415-4c5d-9a2a-9eddfcaea4fe,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\ACRONIS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1e8b94d-8317-40d4-a250-327e438c4224,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + cris + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1001 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,49293f44-2019-42c9-8351-e6eb777018f1,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-503 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,74a3a254-b8a9-417f-b450-0033c53c44cf,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-501 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,219dae01-dcaa-47c5-bbdb-53478714fe91,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,5eb739f1-809e-4753-b239-cd548b2cb4d7,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + sarahf + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1000 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,450b40e7-ce81-4d6c-9ca3-ee9877f6df02,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-504 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,6cbeedf7-e183-4cf9-ae9b-fbdbbd62484f,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,515141d5-9ccb-4da6-96bd-cc21d54fde2b,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1302ef2-ccaa-425b-98d1-f8853e1d6752,"4/16/2021, 9:27:02.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,976382a8-d6a3-46f7-b2ea-2d6d09291d7c,"4/16/2021, 9:27:02.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d824b9ac-2784-4a5d-b318-3b0994edafb9,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98d110bb-1cb7-4aea-b60f-abc68ede21d0,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,76b71857-4c5a-4fe6-9bf3-11e906605c51,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,8c6642ab-478d-49d4-a288-b9f9561b9c7f,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4fd886ef-bb15-441d-b768-0a29ae28667c,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d794eed-1afd-4602-b1fc-ef3234149f30,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,85cff5ed-ddda-4290-9a4b-3ae7c7f2977d,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a178a715-d00c-4145-8e80-6b944c3c236b,"4/16/2021, 9:27:02.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VictimPC2$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T18:45:58Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,b9f4e47b-4850-4fd9-9edc-572f83909014,"4/16/2021, 9:27:02.067 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa0c1a5-35fb-4d07-a56f-919e3c676aac,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80138b1-8ad7-43b9-bd51-87f6ba6599ac,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f902075c-cab2-414c-9a9e-08768f164b24,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a2b8bd8-f00c-4c64-83f6-71bb361d724f,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9c5253-ec1f-42c5-8e0c-6a4e69f2bacc,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edb277e1-ca6e-45df-8a86-aea4429b4563,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa01c375-afda-4a9d-80a7-39fb469713ae,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,047aaafc-af2b-4018-90d4-f731e4bca361,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5fe36f8-2b63-4acc-a4de-eb709194bf5d,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc1a7b02-a122-433e-8a1a-05482426487e,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebcde6c9-c913-4734-9d35-6467d2f4b48f,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59464a4-6773-44a5-ae13-6a9dd26fc3a1,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29b3be02-f685-47d3-ac85-a1528320430a,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1318f570-a83a-41ec-b869-04b0e50a0b44,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e336d37f-5106-4b76-b369-7961cd8a02a5,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07e933ea-bd94-44d6-99fb-a0eccb44d80b,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a34effe-759a-4fad-b225-543b33d835fd,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf0d0b05-3232-4884-a653-ebf34c743aed,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d97d58d0-9766-4f4a-91b2-69576b185210,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58e5cd4-07e4-4ada-8113-692e82b92ee0,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07a30a33-5b64-4228-b5af-94d6ebeb46cb,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,090c3422-f873-409e-9d03-f37c6aeb834c,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,04793fa6-5689-4960-94cb-c5b81f707b0c,"4/16/2021, 9:27:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,58d2a3c2-49f2-4978-8197-818e659f91d2,"4/16/2021, 9:27:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 896 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1af5b9ca-0dee-405b-930a-e086601062a7,"4/16/2021, 9:27:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,59a02917-9abb-4ae1-a774-0396b7b1275f,"4/16/2021, 9:27:09.880 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,39be3b97-d998-42e5-867d-79472ab54999,"4/16/2021, 9:27:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7298bc45-d7b5-4e45-902d-6229e2a49862,"4/16/2021, 9:27:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 900 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,567a88f2-360c-485a-8f97-a91c9f4ff589,"4/16/2021, 9:27:09.880 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2545d831-4c94-4eef-8e52-c09b4badf5a7,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\AUDIT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdbff09-16b3-4f48-bc52-90c613ba3472,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,579bf353-6103-40e1-b070-e1dc0ed68cda,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d91b609-a03c-4964-8565-24af119d7daf,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e10a65d3-b1d5-4492-82af-6f43f6b34db1,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7e8e540-3486-483e-8f7b-689b93ebd201,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52c73408-33c2-4674-abd1-67a6fb91871c,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf6c262c-6565-4e89-80e8-c6f9316c0876,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4b178df-1370-4399-b2bf-c16e3c69020e,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83f83ffb-dc52-4a2a-8ca6-84af7288c19f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e0235d4-cc99-45a9-a91d-3b54dad30bb5,"4/16/2021, 9:27:10.810 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a31a3201-6e40-4e97-81e5-0d4a1e4a4d4c,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff245f4a-9b04-40d2-827a-d6903def938e,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8546d7d2-7a35-444a-901c-78ca4e11ca3a,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe84e4bc-cde1-44d9-a3a6-e26ba9bd241f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,596189e9-4a65-4cb4-93d6-e2a4503dde92,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de095390-1626-4bc2-8c67-7d6fef009e66,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b95267f-28e6-49b5-bec4-0385675c653f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37a74d9a-3a6b-4e6b-bf37-d83616d054ea,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa4dc7ab-f66c-4098-ad56-51b716b07aff,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf157c34-d14e-472b-b2de-d9f582821986,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e04808d8-f1ab-4531-ad4c-69167a547e0d,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a02167a5-e991-41b1-a841-9b07ead8fab3,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ef9418c-6e32-4109-bd92-9be7695d3093,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c49832c-4b74-4efa-8933-a9c2d402ba7f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0835067d-b4a2-4b7a-aa72-e8cc44dcf52b,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75fb384b-ad8f-4314-855e-20495b011477,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a227853b-20cc-492f-9a15-1c701823f38d,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b6df3b-3cdb-46f9-91ad-bb87d76ecad1,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9138a719-2d06-4dda-8218-ef1d5556d20a,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,525bcc13-82ba-4a17-8ccd-65bc5aa0903a,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8938e6a3-a0aa-41e7-9065-d4cc6f416856,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab9c43b3-2f70-4608-bcce-8d2a347dfcb3,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10ddbc80-46cf-4c15-a196-437390e1bbdf,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20a35175-39fd-46cc-86e5-549522501151,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b2a8578-b1b4-4971-bb25-5aa8c994adcc,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2d4b90-374b-4b46-be91-afe92a6d9af3,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11e4e4d3-9009-4286-92df-d610c18ffbc4,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86eea5a1-6138-4b0d-8692-8722d99dac97,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\SERVICE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d86d185-df04-4d38-a83e-e2757ddbecd6,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,934c9d26-c55e-4b27-86ef-375f8fa9fa8b,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b823d8a-6a69-4c6c-8783-313d04627f44,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b889e39-9ce7-4d9b-992a-d2e4f60891fe,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dab7ce81-f53b-4db2-a3fc-cf14fb392abd,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f27d2f-ecc7-4557-a920-b4e08be2c2f5,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f2c22b-2f3c-43da-80c5-176107e7b294,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7fff850-afbf-4501-9a67-dbdb31e8515e,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89bbe8ea-c359-4a1a-afa2-fe5826b36552,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da85ed73-f00b-437a-af01-e1997563226c,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6b563ec-82b0-4a61-a7bb-f2a6835e976d,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\GUEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,caffdaf0-dcbd-4ea3-9cdd-7d52f9a4f3e9,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bae330f-1242-48a6-bf9b-4bf1f14f95f2,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\CARLOS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e42e49c8-8e85-4134-af12-413f171cbd0b,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1e3dbf26-febf-4f07-a154-403d207c2460,"4/16/2021, 9:27:26.421 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a3742c3-48e3-40fa-9942-87b4841c4ce2,"4/16/2021, 9:27:26.421 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b62999e7-2bff-4efd-b55e-652b0d735e2c,"4/16/2021, 9:27:26.421 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8076 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,66bdd2ce-e691-4866-95af-5ee3fa77bbce,"4/16/2021, 9:27:26.421 AM",,,,,,, +\SECURITY,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e4c5a791-1fb7-40e3-beea-d3ac60814823,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a766f25-4333-4847-9cf3-3de547bd59d8,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83b62f90-7ada-41a8-957e-0aa5c4901062,"4/16/2021, 9:27:26.421 AM",,,,,,, +\PRODUCTION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2272509-5166-4fdc-9d00-2aa890614939,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +NT AUTHORITY\NETWORK SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 1212 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbc806a-4342-4112-b411-01d196cd3094,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a39060-3938-4683-bde4-c551d8ce851c,"4/16/2021, 9:27:27.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff8eb72-4243-4960-8a8c-f41765b1e5b9,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f35cac-6915-4af3-a424-3e60e6b7d441,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,985e6347-4b65-4b7c-856d-4186550738ba,"4/16/2021, 9:27:27.142 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1ed9ce-55e0-4db4-8ed2-83557b6a8159,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a722822f-5b0d-4274-b575-5f066fdb8fdb,"4/16/2021, 9:27:27.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5928 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,19cf3388-508f-43ad-b6dc-98949de38ccc,"4/16/2021, 9:27:27.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8524 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe2ea0be-363b-47b3-9ac1-2deee948c2ca,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbad22e-2851-45a9-9027-d21202d4a047,"4/16/2021, 9:27:27.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18e36272-6db6-4a70-b89d-adf59d9aea1b,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f46aa4b-3641-40a9-bcff-6b26c0f330c8,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81d706f8-86e3-4976-861e-a9a7116fb259,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 832 + 22 + %SYSTEM32%\DLLHOST.EXE + 32 + 993991710080440F1678B9A877B554F7C7A21349A42D0173557E1B0A94A491FE + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\DLLHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\system32\DllHost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ee3b33e-01b4-475d-a2d7-065d5abd0d5d,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5461b5dc-4849-4252-b3b9-30c96fcdbc54,"4/16/2021, 9:27:27.142 AM",,,,,,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0c0dfc2-5700-41c2-823e-025e944b3946,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95760e97-1e01-46cd-b538-b617596981e7,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41eddcc7-9672-4955-8ff3-4bfa5f2d50dd,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a42ad835-18b2-468d-9ab0-21bab41fd11c,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28dab97f-8edf-46ad-a029-8f7b6571a74f,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a067ffb9-95db-4239-9ef4-17cc27b4bd16,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df848a52-c243-40c6-8088-f9435241660b,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,928d9372-6eee-4dff-9a3e-515e8b8d301d,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f0951f-1789-430e-82fa-2032ab4c0813,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5334ad45-26fd-4fc7-8b54-7cb99930c4a6,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b739078-e383-4d40-a61c-673558916ec7,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,64b553e9-6f1f-4d05-afd9-c6304532cb1d,"4/16/2021, 9:27:27.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39681b50-7da0-4c7f-a8a6-be166c167ac6,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c49a894-59c0-47f6-ba43-64a9496794ff,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10348 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a9a5845c-5fbc-4369-8a31-9ccd18ddfd69,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10540 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3a0b4262-e429-4e58-91ae-e741d093f183,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3348 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6a3cf4b9-f13c-4ddf-a943-04b6b682df92,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c4b5851-0a45-48ca-ac77-ca2730326e68,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,77f7b488-638b-4404-a027-e67bb8ad4760,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10732 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1502637-a310-42fc-b350-cbebefebf06b,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9020 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,274eec34-56f9-4bcc-a591-3743d3ffd113,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,33c23573-f940-46d2-ab96-e5b3fb38424c,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,4572ca05-9971-4109-9250-e17923eaad36,"4/16/2021, 9:27:34.758 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4076c0f-bc00-4825-be98-ab3f76e49466,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e7c5d86-6e50-44a6-a4be-e698137a0492,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b06e0f63-ae3e-4163-a686-e5a85d00ab85,"4/16/2021, 9:27:34.758 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d353116-87b1-453e-adc4-dfc868644e3c,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16021334-6fdf-4d5d-947b-75c64d2e4c42,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,836b8924-d53e-408b-8d0e-cf22635e94a3,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\MICHELLE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b93b1e6-4c6c-4360-9170-0c8e94f89bc7,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aab52fff-9ce1-47b4-ae25-cbeeac3b6e77,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee5c025d-1ae2-447d-91b0-1703f375e851,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ca2d8a6-f1ef-48b3-b94b-158f5230db25,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc86f2bc-bea8-4303-9fec-c3311798dd52,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72d49ebb-fc2c-4d21-bf7f-fbc9d5897ff6,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebf73bd6-b350-473c-ae77-478fa2cd5888,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83e45485-fb35-4f70-b622-1e65fd0c545f,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8c9f209-fe0f-44fb-bcaf-a67ae4767803,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,748759be-7877-42b5-8348-144899fba9b0,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd51a5e9-e08e-4892-95b8-96f64905f8ca,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62ed0885-ba88-4ce9-a119-82dd215f3a9f,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f03e09ce-6a97-4b69-a64c-90518a8cd463,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7ca6286-50ab-40f3-8b6a-541b8cc089a0,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5c0730e-d6bd-4447-a5b2-d7d57c88d56f,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f9ba6ba-1d0f-4511-bb85-22e51388067b,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e1feb65-0971-4a44-a37d-56f323af6cba,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59896017-35bf-4e32-9d75-acd7805d4676,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f95769a6-0212-41c9-b2b8-8cdce33bd1cf,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78f92b8c-3ab2-4a4f-9b91-536c092da02a,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f214b628-e790-428d-99c0-da1ac9b55be9,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77354244-c138-46b9-9fb9-deab587785ca,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ee577629-c94c-4ab0-b9c0-e80c38c293ee,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5d0ced76-c881-41d9-ad81-91fd503e4e54,"4/16/2021, 9:27:36.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6b8b7378-37f0-4a8b-a5c7-58e0f7210a98,"4/16/2021, 9:27:36.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,80c85d42-6d06-4694-b7e7-31793df2661c,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,187e5d6d-cf46-4d30-8a55-0d07a5884855,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b95f556a-fb72-48f8-9ebc-d7ccaa9829dc,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cf77e600-c192-4f6a-9e4c-9725e754fd1b,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d6848088-c9d3-4e74-9df2-f5181082912b,"4/16/2021, 9:27:36.066 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2cb3fbb-4ec5-4e52-9d99-307a301974d1,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b5ea7b3-7224-42f1-b4bf-8b9ca6f7a15a,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bbce6aa-7520-428a-9701-5510f3c4fdab,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fb7c855-fa27-45ca-8c50-468c0aabade0,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfb0a22a-9c31-4661-bd21-7577247758a7,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,058fdead-d70a-42ea-9627-3e48a7498f3f,"4/16/2021, 9:27:39.150 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecca576e-720a-4a90-b301-d844305c3394,"4/16/2021, 9:27:39.150 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46f204aa-4df9-47cc-9748-b725fdfefd9c,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457e234d-7530-4c22-8f7a-848bb62238e9,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,391aa057-9b1b-4f7e-bd85-7d6e948dafa2,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abdf062a-17ec-4e4d-93ec-ac5841e5d001,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1000 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c5d9beb-b14c-46df-8270-43ad3af56b60,"4/16/2021, 9:27:39.150 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3684 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e97a0f-4377-437a-8db4-bc679046c603,"4/16/2021, 9:27:39.150 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf13011-e186-48e1-b1f9-56a3f13fd51b,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46a373af-96ce-41ff-85c9-eb3b56fd6f4e,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8f55999-159b-4592-9b4e-3f3a86304adc,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9862263a-c322-4a41-8543-b913e43fefad,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1b97e0-cc8c-4371-b70e-147ef4dc8bae,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99319f03-8bbd-422e-b0bc-1f407d3321bd,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19feb4f8-2e39-4e61-8f67-810ec36e26ca,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d14739f0-0f6f-4eec-a58b-4d46ebed8074,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04721f38-49db-4d5d-b0f7-9ba6ea07aa53,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859f941b-286b-4626-a671-e53f2129f0c6,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,21a7da13-acd7-4374-8fe7-ea099e813ec1,"4/16/2021, 9:27:45.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 328 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f2245d6f-6f68-4151-92be-3828e7f75d6d,"4/16/2021, 9:27:49.419 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,442fc6f0-f840-48bf-83cc-bb316c44f7cd,"4/16/2021, 9:27:49.419 AM",,,,,,, +\SHARE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17746167-e808-40cf-9c1b-c3582352f440,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af13a381-75e1-4b18-bd9a-66a2bd8b325a,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aac27606-2288-4338-9ff3-ade0eb79c6ef,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6844cfc6-4aab-4eff-9029-e5699cee3a87,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f003683-7355-42af-b539-602d41b0780c,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a7a467d-47ee-4088-b070-e880908a50f9,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,529a9145-9f4d-4d05-ad8c-722229ebc5f9,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24363cf8-fb2d-4f0b-8961-197fcda5c2a2,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2408a4a5-a218-4167-a98b-d9f42cbc034d,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d40ca508-742e-419d-8435-537116f50084,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dde96bb7-3994-4c30-b752-4299cddb77b4,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\WINNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04c79cc8-abdd-47ce-a590-ef120d37103a,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\BOSS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b399ab82-9aeb-4f76-841e-d9170a5464a1,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\WAREHOUSE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,759ebcb9-3111-4732-880a-a71d3ab9f18c,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d7dce81-a1b4-4994-96c3-653d510373ca,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\LAB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca82d05f-70b3-43a0-8e90-edc2d644d688,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83fbdacc-11bd-48e6-852d-62037ea0dd63,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4fce881-4d3f-455e-9983-f96d9fa3bde4,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39ab01a6-8371-48f2-ac6b-dfd6110dfbcc,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\FAX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,407fed53-bda7-4a2a-aad9-27d0f47413be,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,434918ff-517e-44e0-8313-27c44d160e40,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aea1a2ee-5993-4cb4-8c5e-0721e26a969a,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c954f81a-74e1-4d55-ad3c-c9258ba492d1,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83a44e38-7dc6-44a6-baf5-08ed79436481,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,520a4add-3150-468c-9a6d-ad74c8209e94,"4/16/2021, 9:27:52.726 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8860fafd-21ea-4cdb-83ff-2cb7f384046a,"4/16/2021, 9:27:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4604 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,abf64813-9a83-4339-93e5-850b11e21358,"4/16/2021, 9:27:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1c86c963-d932-419f-a03c-372b1577cb10,"4/16/2021, 9:27:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0d4f1a8a-d2f2-408f-b0b9-a8b7b11eb094,"4/16/2021, 9:27:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6db73add-78b8-4038-b59e-30306dc81e08,"4/16/2021, 9:27:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13552 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7fa394b6-8302-40b0-a9a5-8f726652dd43,"4/16/2021, 9:27:57.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10500 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,318dd615-8735-45a4-95f3-d72cba0c3da1,"4/16/2021, 9:27:57.009 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,86523d73-5ecb-4b5c-bf7b-9fb51c4e63d9,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0838964c-1e74-4078-b023-17156bed3dac,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\USER03,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cd383c01-2917-4741-a346-ca728fb9460b,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc44c955-eb7a-4cfc-af78-9d8837bd198d,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\C,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e9eca0b-b852-4116-b45c-bc710ed6410c,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ad5cf35d-2965-4544-907f-e842b46a1516,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,961e4950-2f3a-43c2-97aa-1fcd8e3ed5c2,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\PETER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,517155d2-986e-4118-a926-7bef6319e432,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d09706d7-0f18-428b-bf7c-4b4484781416,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9deab43f-9b17-4e6c-a232-f36646e5123e,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02078c2c-c167-49fb-b123-5df09f305bc4,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bff4342c-7e25-4b29-836e-6108370f047b,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aea3557e-16d4-4c8b-ba6d-9a7027bf4b89,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31ef0c78-ab49-461f-9eb7-d0ec6fff7db6,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c00f098e-8a89-4517-a2de-6c94f6d986f5,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8528328-2c38-426b-9d72-7e3dafe6a0d3,"4/16/2021, 9:28:03.747 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c7335b6-7a4c-49fd-8853-9f4d95653f82,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9629d791-ca0e-47f3-8aab-a3906ef9061c,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48afb5a9-27b8-4dd4-9387-d286c689c9a6,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c88603bf-9941-4c1f-a738-5f3c8c13f493,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ac872e1-bf8f-4136-a73f-ee1233819539,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6e583a5-dbcf-4685-ae56-a8fc34454f27,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\ANDREA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a83d9621-a99b-4c73-a9ce-b0ba0964695c,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afed63fd-3641-4ee6-be7c-537c01d170b4,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fd9005b-4691-44a3-9eac-5e5fd8db5d5a,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6516450-7d8e-400c-b3c2-3b93be24d14a,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e066e23d-e6b2-4811-988d-b50e2f743ad5,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72360e99-e3c9-4d97-85ad-bb1da2cad171,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae67e237-4658-4b62-86dd-91aec6ca10aa,"4/16/2021, 9:28:03.747 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97ee901f-2880-4157-869b-c0a536bfcc7c,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8c7a560-79f7-4e41-a8f2-faf236b18313,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1be7f20d-4422-4d0b-8504-18d2f2a83002,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89dddf68-7464-4fb0-ba70-e9fb9e7ccf92,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5f3d3cb-0a71-4eae-9f8d-279a8b15b106,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2878c7c-b371-422a-a699-c085a02f2a4b,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4badf9fc-f365-4137-8dfc-58cc121df41e,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8138ef2-49a6-43a3-b97d-ef7a85d5a536,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12a244c6-11b0-4fa4-ad9d-13239b262406,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd10d079-4d57-412b-9e63-223d512b98c7,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3bdbbf4-bb0a-44d1-8f9d-d9f5f81e66d5,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe1ef143-5617-4d3d-91f8-350432f32f29,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f006e9-244a-4bb2-b3e6-1afed38d251d,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,890e21c0-766e-4232-933b-59033b010c27,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f810d609-d844-42c6-8685-4aa87a9fc459,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35aec125-6bf4-490d-87bd-1cd10398fd81,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83b85518-d08a-42f7-ae79-09c029c3694b,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,142e0718-7d4b-4039-ae64-83266ce806d5,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee483de-5fba-497f-a486-263eae14026a,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e97688a-598a-4e58-9f25-30a406574033,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8719b2dd-8b69-401c-8690-9a8a9336b317,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98b4ca57-af03-4cfa-9db4-1f27b41c553c,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc64f52e-a5ed-4ee5-9edd-f5a5a6bea86e,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de468c1a-83c1-4675-b96b-910d167123e6,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77cf56fe-a313-483b-acc9-65b5aac6c1dc,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfdf13af-c8de-4d2b-826a-62766698ee5c,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,533c3bb0-e52f-48f0-b66a-cace00223bc9,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c250207-e42d-485f-8d39-0556f662ba89,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03689196-1593-420e-bcae-bd26d3a6d06f,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a43d54-d2b3-4ca3-a995-337720523361,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c62053ae-47d9-44aa-b2e8-edd052638934,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9dc3b3-91d3-41c5-96f1-1fd3698d548d,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aa6b7a5-390d-401a-b8c0-158ede1fcc20,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65596a28-2d63-47a4-8140-94ece5bf469f,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f74b9f-9565-423b-95ac-947a68eda6c8,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\OVM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1e03de3-9828-4ff2-a16f-bcc0f2de1153,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b836378-8491-4d03-a3f9-3b4af662bd13,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccfb7c67-e2a7-4dfc-bc92-ab2416e0ad18,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2f73736-8e30-4cc1-b023-ba21c93065d5,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d26d46d-699b-44f8-802b-3c7dd4e6ad68,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78c1732c-23fa-40b0-9011-d0ab3393b3c6,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67406a46-14e2-4194-904d-e4a87b23a3d0,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac2ed3f9-e7fd-4807-ac48-5bbd5dfff64e,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f93e3b7-3354-4917-a68a-08ae8c484f95,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36d001e-e78c-47b8-a7cd-b7bec6027f31,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cad2d00-a4e3-44dc-bae7-5df3c471e3e8,"4/16/2021, 9:28:12.160 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3bf6dce-6105-4e71-a1ec-d98c6f6a09cc,"4/16/2021, 9:28:12.160 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,969f7878-2b48-4607-8187-05de6dbf525d,"4/16/2021, 9:28:12.160 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f27859-f8d2-4b5b-9b0f-e3d63ffc5c63,"4/16/2021, 9:28:12.160 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4031304c-9050-4daa-9d95-8de247740277,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5836 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,661114db-e29a-4637-843e-7dace0ca89a3,"4/16/2021, 9:28:12.160 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8264 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2e17dd5-197c-45b5-a883-64b748fd66c7,"4/16/2021, 9:28:12.160 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,aa0f4f18-ccfc-4f40-a05e-4bfd4f355db2,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c6effcc6-e1d4-40f6-a112-0a877902f758,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,257c8a5c-ca33-4bc2-9a82-f5f29ba190c4,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a4598f0a-e04b-4851-96cc-d3abce52847f,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,709d2929-0dff-4022-be8c-61cbd7a5e77d,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7fbf77f6-39eb-40be-8049-0cf6982afc6d,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0d473191-9d7e-44a5-91b3-cadf4040201f,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,024c4cdb-f034-41e7-8dd8-ea877cdcba25,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b8a991b8-a824-4da8-adb7-ec0dc9147893,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ecd370a5-292e-4d5e-bd6e-d2ea58adc951,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bc522bcf-e026-4ced-b39a-8a5e9a336c63,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,adb5b26f-b353-4fb0-8e68-d5a86b923d4e,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a1552598-d16a-45bc-a023-713224f3d72b,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e5f6e0ef-67f2-4e80-962b-ecc45a946f8a,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,97c1f80d-4b43-4de1-9017-f7887035c7ed,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cf9858af-5842-4040-ab83-3f9eae9aeef7,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,08346b80-c4a5-468e-878b-6733e54db7c9,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a3474f57-0281-4a3d-8ec3-64dd928d6522,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f1a966a-64a9-4516-9c61-30e853a871d0,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4a1ba841-acd9-451c-a784-f28ff879e7e6,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f0a872f-c127-4dee-bef2-75091af1e8ea,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b0b307bd-e581-4088-b0cf-b7fcfa279c90,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,29db87b9-f698-4f50-8ea1-e72d77fd9936,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ecf3a7ab-21e9-4c38-a32e-5d44bd2a22a2,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,55575737-1592-47d9-bc32-90737da88070,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e6a30ef1-2838-4687-9a80-99fb7c94c532,"4/16/2021, 9:28:09.891 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2a9421c1-c785-4e68-a996-fd80807df6e5,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d6aa1bec-f1d8-457a-9277-3b5a8c04a7c6,"4/16/2021, 9:28:09.891 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6eefcde5-2aa5-4307-b0f8-3528f0a23af5,"4/16/2021, 9:28:09.891 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7c4505bb-6147-4d17-8609-b05d068e6aa5,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12080 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e07a43d1-3a6c-430e-b496-c74fd30562df,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2892 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ea0b225a-094d-4984-bc96-57881dab17e8,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6944 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,253aef35-7a3d-40b5-b90e-7accd961122f,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5012 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fc9cc09c-de45-49b9-bc01-7de9bf6e732a,"4/16/2021, 9:28:09.891 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f3c7a5eb-6e55-4ff6-910b-565fbb159d45,"4/16/2021, 9:28:09.891 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ba934052-99fd-4865-8cb6-e493f0d8f7b8,"4/16/2021, 9:28:08.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cfa7752e-4e07-4df0-b428-80f70a2f28da,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5a0f63f6-257d-441b-a837-898e0fcb3fe2,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3b2680c8-eb89-4520-acbf-b0b5b4426b08,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,89757c25-36ca-4b36-a233-a5ec2bdfd393,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5bd3aad4-ed80-4d3c-aa04-7c4048e25539,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,89793512-0e26-4c47-b5dd-57444ed5e68b,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,31e2626b-ff03-4d3c-afd7-aefa7ff22e25,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,04ae90a2-87b7-4408-b366-a330a9092209,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eaccc941-3f0e-4c3e-9667-3058fc9ef977,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13bf56cd-1e3e-4b14-af8f-5d0df7642afe,"4/16/2021, 9:28:08.062 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1792ccba-4486-4706-9de5-8138f961421a,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ba6a21e-8f61-422f-a7bd-8c43d8b3c10f,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84b0f44e-ae75-4342-9c77-cdf6c535db8e,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f71ef5b-63bc-42d3-829b-1841024b58c0,"4/16/2021, 9:28:17.141 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85924e58-7800-45d6-ad96-d7a14bdc48c3,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76e25a97-c5ee-4f2f-b2ba-d25ea0557d35,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38d2b8ce-c4cc-4c10-9412-9eee3c56e7db,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4400 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,00f235a9-5a02-4003-aea9-346e31018d08,"4/16/2021, 9:28:17.141 AM",,,,,,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61759a51-83aa-41a6-8370-c4200310b71d,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,189f2b04-e709-48de-bca9-9568625c86fb,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b4e78c-f322-46d2-bb5f-d965aef2df35,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7bc07d9-09c4-440c-8f66-d674c5c61d56,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74cbaedf-f48e-47a4-85c5-d0f6d595d69c,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61b86620-c4fb-4716-9923-6544b012b0cb,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3e4579d-fd71-4233-9ec1-3937da259d10,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7359547-9627-42d4-8c70-e7209ab53ac2,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16c00b89-9c8d-4480-86f5-ded337d8f97c,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c32eb30d-0eb5-4c75-ae67-f92bb1fbfb07,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80d8c76-7530-4e64-91b3-6b944804ad68,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7302ff9f-d988-4ad4-b1e6-d08e634f645c,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa5f53bc-4a4a-4804-813a-dc5d57716afe,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e011bb3-b3e2-4237-adad-39fc074e24a7,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5bcbe26-96ec-41ba-9f7d-f85126d0b35e,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6bc5975-e5fe-4adb-a869-a36ffdefa507,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed0e28a-1149-4ef9-a7f5-754562b17c18,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a76ce7df-d656-468b-8bc4-0bf490f44853,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27c8639c-fcc5-4732-b779-f1371c0059be,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81850e49-e413-4018-bc27-6d74fe75a554,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00041360-1356-42ea-bd14-d8d39956a9f9,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7a88c5-324b-46f2-a4d6-7357928cea36,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9179b7df-8227-42d4-857c-b87bfb7246ec,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12ccd1d-270b-42ef-bb4a-84692edc3ad0,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9623a45b-090c-41e4-b06f-b33f53b53ccf,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d65ada37-7094-46e0-bcdf-d9d3fae9a4e0,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f04562-c39a-4ade-8452-f85403101a73,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6b2689-4b77-4daf-92a1-ee441845c71f,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b429bb35-38cb-4c28-b703-d024318625e0,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,155341f4-e533-41b2-8a4a-3562bc20d00f,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93513f4e-f32a-4134-8e39-7f5659baeb54,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b09cddc-4226-4488-9386-61a0a13bc472,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8e981fd-d3b6-41fe-ad32-e53a0c8ac526,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,489664b8-a17e-4fb7-8fab-b16093c1dfc5,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd552256-dd4d-466c-8843-4b878256f922,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,292a228a-64fa-431e-af2c-d4c7b0bcb264,"4/16/2021, 9:28:22.189 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4675661d-c565-4138-a6ed-d9c6ae2d8219,"4/16/2021, 9:28:22.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5728 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,637da719-c342-4397-bd6c-e722a7200a50,"4/16/2021, 9:28:22.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 184 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,38f7163c-1c07-40c6-96ac-4a6778e5dc36,"4/16/2021, 9:28:22.189 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da6d66cf-f784-4176-a05e-5ce10c5a7bdc,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,294c28db-8b44-4111-807e-bece51f6281c,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,261af535-5f57-4f29-b04e-7975d6d5cb5c,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e731b4d-2048-4304-8f6b-b1194d167212,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a29af5c-7338-4b18-bde7-93e1c717a6cd,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a4d20a7-b594-4620-b7b2-0ed0530d9046,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b66deb-7312-46a9-a76b-8c769602548e,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,211fc451-dd13-4d70-b229-63c4d5e8c081,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6cd5085-b8ed-4501-8ef6-614d87c4304e,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f3fa65-37c4-4e7b-8d1c-4f2c9971a48f,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd5245f5-0404-4430-8de9-a98e4aa434f7,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0c5d9b1-2c88-4b9d-ac4c-dac8306108e9,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3529636c-6032-4f06-a54a-08a525a1d4e9,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62516305-b8aa-4311-9d50-59c053d9aaca,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82e6bbb-6e0b-41dd-b7f6-40d7e4f3882e,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,848363f8-4ee2-466e-b765-d479f836cc93,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cabcad59-1b11-4518-b4af-01e3e8299eab,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f963399-a862-4769-8ebb-be9bcacf25fc,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b773a03f-9cab-4d50-b8e5-5c22f0593465,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62bb4ff-3f4b-409f-8721-197abd38d4ad,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac4b85a-8123-41fe-94c2-16da5984d14c,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67eb563a-70df-4531-aaf9-7209058d86e1,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd6ddadc-01a1-4135-97f7-913d1b19468c,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c875c09-b431-436f-b3cd-b0a3e6fda9db,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97b3e31-07be-4b03-8eb4-1a6692e00e6c,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f767014b-8326-4a2d-8972-82cf6fecf072,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac524045-33f0-404f-a067-9a60e6aa23a9,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0605b8b3-e643-4bed-a8b3-8ee3b7271467,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,17c7e945-e19a-49e7-bc3e-869ab2cca41a,"4/16/2021, 9:28:33.140 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62684d56-b399-4e08-9980-7467ae3fe69d,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0430c0f-be93-4ee1-8455-9ae44bf68d37,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2412035c-2f9a-4011-9cc3-f40a00bc42a2,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a14a425-75b8-4bc2-8d4b-5e38d1e1c7c0,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ce45134-b095-4c82-83c7-416111fb6ebd,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\VISITOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dfc83c3d-b3e5-4f86-a721-75d50a6e0adc,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f8986d2e-924d-4605-ac62-3733a8ea759c,"4/16/2021, 9:28:34.405 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,52b54ad9-8efc-4a53-8874-69ee6a48cfb2,"4/16/2021, 9:28:34.405 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7708 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2ab62f99-da55-479f-bd4f-55c5ba6a4fca,"4/16/2021, 9:28:34.405 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5e4d003b-2d51-4bb1-ade7-84f4faa00c01,"4/16/2021, 9:28:34.405 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e56487fd-a5d5-4fd8-b0bc-1942544300de,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\USER10,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01054f10-fe97-496d-9944-60d5d8635917,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc22eb1d-6e8a-4783-807c-30224237b6b5,"4/16/2021, 9:28:34.405 AM",,,,,,, +\T1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,66ae664e-3f87-41fb-bed4-c4bcba5f702f,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e7847c91-2beb-442b-b98b-db2a6bd747c2,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\LIBRARY,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,814c576b-b60e-4594-a0f8-4d7a2d1dcdfc,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c212b8b-e7b5-475b-9770-91c606c3b23a,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb8345b-1cf4-4ce9-a83e-9e9d60ff22fb,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2cb85dc-8ae6-4407-ba54-45663a59cd03,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abcd5c40-43ef-4d5b-9ab5-f4b5b61ec4e9,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9483409-6489-4b0b-b368-afe726bdb872,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c22a6ae-d046-4f87-834b-c781578b269c,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4488c520-c149-4506-bcca-45d9b5235d43,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faecba70-86e5-458a-829d-7ed8f179647b,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b612701-5e52-41cc-9be2-a65dcf2e1534,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b5bc99b-a390-4416-a272-c03e61a44053,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea61dbf9-f96d-4648-ba14-2f8eaaa91cf4,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d46159be-7d13-4d2e-a81d-9655989f561e,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d63a9276-737b-40bd-9489-93d8bab213f7,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fb95e68-2585-46c3-83aa-68a61b9b563a,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a25bdab-db10-433d-be51-945be2f638e0,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,297d94ac-a31d-4271-903d-3368ce14e095,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8d789f0-40a0-4b60-9f70-d50c22cdeaef,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7dce92-0762-480e-8c23-faeb2bb641f8,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14add4b6-a4ac-4020-9687-db2bf501cf53,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c6e772e-a98a-44b0-92b2-50ea7c125fc9,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a790332-5f18-4e3d-aaf4-74e076c5f67b,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e03cd0ac-22d9-4d8a-b9b9-82b5ad838ade,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c4c0a2f-6b2d-495f-93f2-c285ca02374f,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84a6c849-4902-4170-b872-3612fd11ebd3,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58832deb-9620-4493-84a1-4940b9ac0487,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6204db90-2eee-42f5-904d-bcc5fab5bbc7,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a14ca548-f92a-4cbf-ba87-a27d47e407f4,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b339404-cad5-420a-a30c-d8b6b9f012e8,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b018d8b-4d70-477c-be20-0bb0430f52c4,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\DATA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c74bfae-1730-4e2e-a135-c18fe3f8283f,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50d5566c-2af5-4a41-a54c-42df37fd3e99,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d80532c-05bc-452e-982a-f591511d42f8,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\TESTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97fda0ae-1996-47ed-9b5e-a05c10f1a1b7,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3c07ace-107e-42d8-88d5-33a2f1a0d6b8,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce6ae08a-7987-4a8e-86c4-0fa68d96d4b4,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,907ea5b1-5b5c-4aa8-b66b-faa7a076cbb0,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8796e8bb-7d55-43d3-8eee-3359da3c4271,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e057e15-9440-4291-b73b-56708ebb8da1,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87195494-0597-44c7-81d7-3ea041e44cdb,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fd70f8c-090d-4230-abb7-bdc271c1d516,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2724027a-50ac-407c-82a8-2693cda41b11,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca1e6240-06a9-43fe-96bf-62581d3ae4d5,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\CONFERENCE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88bab14e-1d9b-4e9d-881e-a578272d13ad,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0306872-780a-4a93-b644-ecf4f8499e39,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f614b3ad-f63b-45ec-a050-e75fee5d54af,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d945a894-ca7c-44da-a6c2-2ce4a2fdadae,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,849078c1-a8fa-4079-93c7-68835e0343bf,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,19636df6-19b5-45f6-8538-5b8c23c1e07b,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c3e950e3-2cf6-4f7d-ad8b-11b5cc9f9288,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0bb352f2-d9bb-44f0-9a83-5b2d3b6d7cf9,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,52b92078-486a-4de8-91e5-aaf94f0d31a0,"4/16/2021, 9:28:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fc8823c4-bc61-4ba5-8242-5b735e47f2de,"4/16/2021, 9:28:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2931fd9e-366b-4655-8019-232c23757896,"4/16/2021, 9:28:43.066 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e64f8e80-ba93-42c5-bb4d-68f66e17f3c8,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ACQUISTI,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ae9c89-96ea-43c4-9b5e-27578dcb24fb,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5bbbd35-503e-4e97-9e39-2f92ad38b389,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3767b250-86a9-48c8-80c7-0f9614d20546,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8192ee8f-e8a0-4dcc-9399-88784da74a34,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56ec5316-8cb0-4636-af75-95296b328f31,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08cbff31-efe2-4c50-8a86-fb134db8970c,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3acc5d27-f6d4-4c8d-8729-f3eb1edbd6df,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\EJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34c96daa-87a1-42ea-a056-ead71ffb4fa3,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,456dedad-d933-43ee-86b5-0f26305e293e,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c1194f-5071-4149-bca7-b27d2f36e299,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de856471-5859-4ace-9032-78331ffe19e4,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97ef5b13-3325-4f9d-a423-b412dc3ebae1,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d5cd759-3734-4c25-88d0-7474fc09b6e0,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae710535-9565-4a27-ba91-a0dac63139cd,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5ea043f-31cd-402f-a512-bdff5dc11dc2,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21013f19-7aa5-4f01-a4fd-3199030c04ff,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e48bb804-16db-428c-879d-56f0f5449a9e,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ed7f0f-a876-4153-be27-e17478fa022e,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5505f4-f071-4ba6-949a-8b3e16a2e55c,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f77d9ed-b8b5-455a-a5fb-9fe876260874,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc345ef3-3324-4daa-b1e1-cde13ff0418c,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da0e8164-96ba-4960-b03f-453d92b11b9f,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,905bd570-bc72-4499-90fd-09dcf032028f,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4312 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e5c3c0d-e208-4bff-9c65-2c1f8363e00b,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9236 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ea597aab-fc06-4817-babe-e03ebb6979ca,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,852f2d69-fe29-48c7-9f5d-c19f2584dbe3,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,33aa4512-797e-4172-9573-8ccd0fd20ceb,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,821aacf9-7606-4c20-9b6b-5af536bf617a,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8476 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1e67ec8-ca4e-4680-ba55-df58c996941e,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2068 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d1b101c-d1df-4511-afd0-193dcf89234e,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d2c1f6c-a924-49fb-8455-8d165b7370ce,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11488 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6439f524-1501-482d-920f-049902c852e3,"4/16/2021, 9:28:57.010 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9600 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,119c750d-81ac-41fa-a94b-cdf6f9778c5f,"4/16/2021, 9:28:57.010 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd69611-c1bc-4ad6-929f-10e85b1f155f,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a1b774-a6cd-4dcf-84c0-22b1c70fa0cf,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed2ad42-de57-469e-a805-a2def9c206cc,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd27f726-90d9-46b3-8ac6-b80371f2aaa7,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c38c0ddd-8a92-4756-b225-290721ae23e4,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd76a83-6552-403a-ab20-15c80e5bb6a1,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bf2b1bc-c723-4e37-b6d7-9e6e8f132c6b,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f06fea3-896a-4e41-9a66-5fc65a096f78,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4a926a-e583-4c4c-84b3-eb2db8220269,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86ccea06-aca5-4ac5-badc-8ecc58170caf,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,949933e9-a2a3-42ee-92d8-8001ffcbec32,"4/16/2021, 9:29:00.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d1a1c65-dae8-4ed1-8bce-cd75574f8573,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 7020 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d98ae2-24dc-4150-962f-47bb1e2c379d,"4/16/2021, 9:29:00.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2ee9d9c-cee6-4aa0-a152-5de063b0ca0b,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97cde0d4-0b9d-4a17-9e87-cb1dcbd92cbb,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdca477d-e009-4b93-a22f-0ac8ddd4ec34,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59a02eb7-9fed-4c99-95f6-391e776afb3e,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1127a18-1794-47f0-85dc-1d70d5d0a518,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce457360-8ce1-48a6-9ed2-fe51042b0aaf,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972ef732-4cbf-4746-a969-9af0b4c6b9a5,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,414b95dd-8406-4041-9fdb-29c4f01d63d6,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17de29f3-85cc-4f05-89da-200d757d82d0,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0f44128-5243-45e4-bd78-883b88081277,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59595962-d61f-46af-bd25-1efb23719a76,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9861fb4-186d-4a06-96a4-d8e189816f94,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7a3dc9b-3339-4b64-8f7d-fa280cdc3ed4,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dabcaec-1e42-4404-8290-14a78d838595,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89216df5-507d-4f35-8b9b-c2c5990ffb86,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d05da6f-f4ce-4f08-bd1e-60e551f880f5,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79a98e53-9c85-4e82-aea1-3fc117eeca05,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7bd939e-5a76-4c55-9761-7f52d3a0d9c7,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1a63f67-bdaf-4504-8171-c10d6657400d,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02cd9d52-132c-4e12-9f21-f98c3db50585,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ad2ee40-a280-4ba9-886d-7b5e172b0c74,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1874f4a5-d44e-4e83-a253-592c4f9b73d0,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9daa9dc8-ae8f-46cb-9ab7-1c2a44ee5c6f,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abe17566-0c57-47d3-88b5-d76adae67503,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ada0dc24-6ace-44e5-9e32-bb8e465287ed,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b47f82-48c3-4e5c-8759-0f652b798424,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc621c79-3df9-4835-9e3a-6767aadc5fd7,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78b34c64-b08d-4f77-ad23-ca0d34549b5b,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de120cc3-c796-417a-a156-1af475b1cb15,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,051be30f-92e0-4699-9489-089b7e2a3fac,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d51c1410-26e5-4c2e-a07d-6af6b81674c3,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ec23500-ff7e-47e4-8b2e-1e00aeec5f43,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b62c0b3c-2df8-45ed-92ab-0aa178af761b,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da12e81f-c5fe-4acd-8309-65e74fb5f937,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef6fcb0c-73df-4e06-9dc5-7b0ab5c7ab0d,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\CONTABILIDAD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b05e8ba-c20c-4e51-8d02-3f2312adcc4c,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fa45d38-4a85-4012-8da9-1b573c9dd9a9,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,825e2f92-d0d2-4e8e-9b42-7890226f7d01,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1aca1fba-410c-4ae8-8e7f-8ff47434a11b,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a63e19a-8837-4320-b471-bcd6eccdbcbd,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,210206ae-ddd0-4cda-a12e-7bba227402d5,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c4a0ee9-3102-4a5e-a079-dbaa5593a3ea,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aa20b43-44ba-4867-8033-8d60b045cb26,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a7bd3ef-4d5a-4de4-a330-37175e9df410,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6133d5e0-5070-4bb3-a741-c816bd803456,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\SHYANNE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0446bac8-95d1-4be9-86ba-db6dcc186b40,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21f01b8c-5a4b-4bfc-bdbd-73e1fca1bfb1,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da9ddf2d-b8d2-4f28-a28f-5ad6a5f2090f,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,995dc3b9-e04a-4953-846b-9282afc69661,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6de28bea-c411-410d-830d-a2783026c9c3,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b100376-0c63-4b88-b2a8-5724055c6e57,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea5f7714-894f-4a26-ab6b-3107dad02df8,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa6e8c2f-9c3f-42e1-bb2b-3c8c37427bba,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d02fcad-ae6a-43cf-8fce-a067909676ab,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23d24f75-9307-4ad2-a7ac-1274eebb1187,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e476ac19-3fc3-43e1-a2e5-7bb6de13b913,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\AUDITOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd6faf26-2e77-46be-8155-3018fde5ddca,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8580 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c29c5efc-778c-4248-9e50-9869d91bd33c,"4/16/2021, 9:29:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5976 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,14b8effe-afb4-474f-9e37-7632db58a29f,"4/16/2021, 9:29:49.274 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e94c05fe-c1f1-40c6-b7e0-10212709b2f9,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,59ec4c75-ee50-42e2-807e-8643f148a7df,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,40ce1ecb-ba6e-49d1-a56f-91ea36eb9a88,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,da331f57-de03-4709-995e-38b38ab7694c,"4/16/2021, 9:29:53.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,af62ba0a-4fde-4c4e-9873-65f7d6c10ea9,"4/16/2021, 9:29:53.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,840d08b3-0ba7-4fcf-8bec-3a77b5001f1a,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bc578498-951f-45a4-b02b-6ca0dc3f40c4,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aeb04330-e16c-4109-a4c2-0256477f1f0d,"4/16/2021, 9:29:53.067 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2996 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0653c802-1869-439c-957e-9f4fd95057ea,"4/16/2021, 9:29:52.728 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1a4f01eb-4307-4d80-bf6e-9cc7fc6e7248,"4/16/2021, 9:29:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,caac1ec8-be5f-462f-a244-dc70a03801a9,"4/16/2021, 9:29:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,75111642-9325-4375-b9a3-7b12bd42de3c,"4/16/2021, 9:29:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2d34a5bb-84cc-41f4-a018-1e13677907e9,"4/16/2021, 9:29:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cccdf12d-4179-4137-a32f-bf414d193c5f,"4/16/2021, 9:29:52.728 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa9eab2-4ce3-42f7-b3c9-2c69768066f0,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\WP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbc27b78-2500-4677-9f85-0cb73d769d4f,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63bad84f-d49e-4188-958e-3b0bc2081e7d,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ee3afa-3088-4d7d-90be-8ea68481b6fa,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f55987e7-7585-42db-be6b-aea1e9ec916c,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\VISION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eb6987d-23c5-404b-803b-3784bf370e19,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d48745-4eb1-4976-85a1-4f185401acb1,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7fedf5-5a5b-4824-b952-5b57e8341e3b,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,343bd5e4-850d-45ea-a335-b4097097fb59,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a5fa0f7-67ad-4bc2-a560-2971f9d5c42b,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cca6f92-5f91-4ccf-9e3e-d53044a23ccd,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1e6057d-d329-400f-aae2-69c7b9d89453,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5318dc3-dc3a-4252-b23b-3e5a756a7d51,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eee451c-56a8-4074-8223-8e8a37c99aeb,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71fb1f30-3482-4eb2-8ef3-34dbd33b1255,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8595084b-7f93-4f27-844e-d02735d9a4d6,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf9b5324-05db-4837-908d-ced0c98f4e67,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c0943cc-51c9-450b-b8f1-f61631f5a6eb,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0413557c-9b9a-4d46-adec-1ce6b342378e,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04ebeb33-7a3a-479a-86d5-3b10a57fdf32,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37db2ee6-ff1b-45cc-b28c-142c08154131,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52b64583-e82d-430b-b724-ba5739fbfd1b,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a119c45-8330-4964-a79e-fa9d06bdbc91,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84f2f77a-8a32-4334-8f9e-07643dc52721,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d14ab60a-6ae0-453a-b486-f619a9559ae2,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ecf4de-842b-46a6-a966-7fff0ed5da58,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12206568-a2d8-492e-93a9-91b92b583036,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5240 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,79a3d9aa-0e26-4438-a17e-325df68e40d0,"4/16/2021, 9:30:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7148 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,728851a6-cf09-411e-a460-78563ad4cc9b,"4/16/2021, 9:30:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2ea35e8e-f282-4924-aadf-5eb333ebba60,"4/16/2021, 9:30:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b377019b-c887-4e44-a464-30503eded1db,"4/16/2021, 9:30:09.890 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,153f5988-433e-4c6f-82ff-e95facd61166,"4/16/2021, 9:30:09.890 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c05ec513-eff7-4f4b-992f-dfb4655a4b57,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1964cba2-f0e8-4527-8aa1-bc24af7a7c94,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02c05b16-e5a8-4c5c-bfac-221f24db2a18,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f76efad9-1564-4a2b-bd90-941041566c81,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,037970f7-a82c-4653-b037-5ae1bd9605d2,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86d27507-acdf-4ae1-9145-4cc63c18aaa5,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7bf3a18-ef98-4e49-a346-9da7d26be6bc,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c7925a-a375-4b09-8d14-b07784050b10,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37109668-23e0-47a6-8b9e-4ea4448a464a,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0455a5ee-f2a6-4688-b383-4cf67e431d5c,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1009910c-c4a4-4b47-9e59-d89b83c3a46a,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e353d75-aa7a-4a7f-a122-b2c872b8836b,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0bd1cd0-233b-4207-bb4e-5a40caed9035,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1837b832-f183-43af-a0d7-a809c884102e,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7198f27f-dd29-4358-abc9-4e0ecaaa8436,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c007b7a6-1bc8-4a31-bf41-4a8a4f51465f,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6daf590c-e231-4e42-a448-6e3b198a0704,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58342ffa-5c64-49b5-9907-d16995a42ea2,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fedb8f2-8ebc-490e-86c1-01989de6b04d,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8834972b-c1bc-484f-a18d-901e9859c38e,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e9d505-6286-4804-b8e5-646d4480335f,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81a2d489-279a-4f0a-9b79-c182c08c5815,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a31d0fa3-7f61-438b-8b29-291444483860,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c903dec-46ce-4d3b-9348-84b7e5bb7bb6,"4/16/2021, 9:30:19.170 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,efdb5830-298f-4d0e-a99a-d458209a9001,"4/16/2021, 9:30:19.170 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,50a9c652-cb87-4a25-8cd0-ec0cf7d1ddb0,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8acc15e8-f2e6-48b6-acfa-96e575ba2726,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,48433a44-ccd9-4cd8-a567-754714e18a24,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,166e142e-7bd4-4634-bdac-727556b0645d,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7b34d376-cba4-4a8a-98b8-7b08c48a710e,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fc923aa1-4e71-4c33-85aa-d4e47e38d35a,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4e76c8e3-bf5b-40ca-8a57-5ce062ba4d47,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7205996-2ef4-4932-8c7a-82d19cc89968,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ed7287b-5f1f-4cef-badd-0d891552e21a,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f3df7f3-d041-4399-b89f-f267fcd71603,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4358f280-55dd-43ab-9bdd-8b56a081c5b3,"4/16/2021, 9:30:24.067 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 92 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26687a0-ac7b-4613-8d01-78b9cdbada6f,"4/16/2021, 9:30:24.144 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2684 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0f82e86-aca4-4855-870a-3589c24f076d,"4/16/2021, 9:30:24.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c6a5a7-d120-4dd1-8edc-b05f4451f489,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6274ba2d-40b4-4819-9956-b42c8a9f363c,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aee76784-d6dc-4be0-88bb-b2ca1d13ba91,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09f00f5b-41d3-44dd-8e8b-f5734064d21b,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e1feebb-f07d-4539-b124-f17402277f7f,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b61b3dc-2886-417a-8bc0-5e82657aa6e3,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae139936-e223-47ff-b90e-7226e96b7f18,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8772f616-b154-4271-9170-6e92ea6425b5,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0a2fbc0-786f-422a-9d09-c0fb50590e66,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88866553-c0b4-4aa0-92b8-233df3f49e72,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31f3c437-3568-4dfe-85bb-1113319dfa1d,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7036833-d3cf-405f-a721-44ee80fb9225,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f73a6c3-5f8f-453c-b4e2-4ee3be1e7716,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,347d0932-37fa-4ba3-a0e7-d61735861e4e,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f36fcff-874a-452f-91f6-a7517d9d0ad5,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054f099a-4697-46aa-8c64-358f212793c2,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d17c31a-e6a6-4034-9233-19827e530649,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b702f2-5dba-4c64-8062-a661635225f2,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91f5c332-3244-4ae8-a1e3-f49cc79fad13,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a165506-00a5-4509-83aa-5262edd7ac68,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402f5137-d82d-453c-9988-dc5c99e9639b,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c1186d6-7d7d-4ca7-ae3c-8f151b056a3b,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,113bbcb7-814e-4250-a8ba-b493867352d0,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f1d6c66-2810-41ec-a059-bf0c17d1a3ff,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62d25d6-e153-4553-a836-6348512ab0b6,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b427352e-5180-4598-93dd-975d5d4dcc03,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52b31021-18c1-4301-af3b-abc7e504d23c,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03e9ad60-8692-4c34-83a2-22ee129f1b9b,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44d7d58e-4d8d-4c76-bf80-35e30c275f90,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba8f2f62-1c7b-446d-b165-38b3c7e2aced,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fc61a95-0ee2-4657-8259-d57bd93505d8,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,210ff9e2-352e-42ab-a6e4-5f0df333989e,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f536f9bb-5d6e-4494-bff3-d75cae54ebc2,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493cb6e4-1c99-405f-b86d-f09529cf155a,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,78459624-c2d4-46e3-96cf-2d781da17b2a,"4/16/2021, 9:30:33.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e832a4d-55be-4a54-8ef8-c07f598f313e,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a296886-6a74-4790-aa37-ab5a039e8093,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcd94477-7fa1-4f05-becb-f0bb8efb48ed,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e7a017-0a16-4670-a0a6-ae454257986a,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,563a1170-b209-4950-99f5-c9c266d19f74,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,174729a3-960f-44f5-a104-6752f481382a,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a94459e8-4234-4ffa-9625-0d3a43d4f65f,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69888807-004b-43f2-b58c-9d1618a5f1f2,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afb0f881-eb85-463f-a097-fe745fd1b0b4,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbcaf7d4-f5f3-429c-b99e-36469c92bb34,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82dddd09-ea4d-4154-9424-dd0868e57c53,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1bc6abf-92b8-4526-9f8e-dcc94c252d13,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60cff7c2-959c-4cc2-b656-203fd116d8ae,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\CONTADOR1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70b9e67d-f4e6-4d7d-b8ad-e33b814a8975,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc20b0f-d27e-4bdb-91f5-5249044c14ba,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a3234cc-6d6e-48c7-906c-1ce873257c9c,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46c9c7e3-6737-4345-ae2d-c1c9f28946a5,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5173e7f-6711-471b-9c52-1c907172b879,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b09cc18a-6644-4edc-a1e2-bd5cb9718f17,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1222908-62e9-402b-8ba4-c0736ad29bee,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a6ea5d7-ba24-409a-bb2c-b635a45f3e8e,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c7f1edb-19f3-41d4-885f-306b4d51a60a,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73e943c8-7abe-4524-8954-56929046d794,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2449c8f6-c3ff-47dc-9935-668c3dd45ea9,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1a0daa-1edd-4115-87f3-b6525d15ef84,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc79322d-43b9-4a6d-8a02-729bced4e2c1,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac6febe0-a3b0-401d-8adc-8dfba7abf94e,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a354c8cb-2a56-4b9c-9753-7e6b26232770,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f98c38-07f3-4119-8376-b4dcb20cfb40,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd8bdb75-8cad-40b0-9a90-691b9b3356a7,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f835783-b8d9-4c05-9148-8021eb40ee1d,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4d816fe-f8e3-40fa-b125-43d129a918de,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a4cb8a-0b91-4f38-8bd8-dafef2bc68dc,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,013df5dd-d04b-4d05-b3f8-48a9a7ed75e8,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec7ced8-d0d3-4ed4-a0fb-d29357e32917,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af46d321-8523-414f-9a25-d747cd1882f6,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15236 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d3974a9b-713e-4c43-a6d3-2f40bc4d4d4f,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9968 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,952912f9-982f-4e99-bcba-d6edf3cdd4f0,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14612 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,89b57e63-1d5f-459f-bb17-df0dfa0bca65,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13840 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,835cd305-c078-413b-be74-143be1ba3236,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 12340 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,95c65dac-5e1b-4eab-9f95-0aceb91e7638,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6088 + 45 + %PROGRAMFILES%\GOOGLE\UPDATE\GOOGLEUPDATE.EXE + 32 + 062FFE3E27A7A52316D300284F95BDCFD70C633E79C22B67159DE8E05633BFDE + 90 + O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US\GOOGLE UPDATE\GOOGLEUPDATE.EXE\1.3.36.71 + 0x3e7 + 53 + C:\Program Files (x86)\Google\Update\GoogleUpdate.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6433d5ad-c653-460a-a9bc-b3c52257624f,"4/16/2021, 9:30:46.009 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37f84a70-428c-4d9b-b426-04078942ef1e,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\TEST01,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,33996af8-05e1-4c09-a1ae-bc5e754237ea,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\LIMITED,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e431359-a503-4fc0-b884-74310b51c8f0,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\ALMACEN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5f5bf958-1c40-4aea-a152-919f715e82be,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06aefc42-661a-4c70-b35d-3d0e6b612006,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,337ae5ef-af1f-4420-850d-622108a0423b,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\SQL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,35605680-aa5d-43fb-ae46-6cd92db4efaf,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6044 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0ebee2ae-f622-4015-861b-322db9a48ac9,"4/16/2021, 9:30:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4584 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7b2bbe07-9fea-44d2-826f-064aba85f005,"4/16/2021, 9:30:52.726 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b4b01532-00c3-41df-bc29-b5a4d18ef385,"4/16/2021, 9:30:52.726 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0dda6c76-cf66-4123-8ce6-94ce53f6c85d,"4/16/2021, 9:30:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,52866afe-054d-4740-9db5-5cdcf877e858,"4/16/2021, 9:30:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,83744afe-f04e-47b9-87f6-67d096c7f920,"4/16/2021, 9:30:52.726 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6596 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,add03a95-438d-484a-b630-ee18fafb4260,"4/16/2021, 9:30:56.146 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,adfd9093-5e1c-4dff-a356-c04ee3b3a524,"4/16/2021, 9:30:56.146 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65be4a6b-661b-4582-90c3-2116cbb1053b,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2627ed6e-06ce-46ce-8504-259b0e0d3404,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec05b8b-1212-4273-9a17-ba25556b270e,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f6767d9-887a-449a-b532-0ee02ebf1420,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,affbe88d-d49b-44e0-8731-d324c23c64c3,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa47e3b0-8552-4c6c-8ff7-fb8ab8b152f2,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daf0a756-7d9c-4037-b0ff-8435771ee718,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be72f150-2e99-4a83-a7bc-a658e1edc620,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be730331-cb96-4d49-a185-1cafd63613b4,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b940922f-6857-46e5-8c6d-6f9597b4f4f0,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e19ee695-878f-4bc2-b58e-e4e0d218ef1e,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,059ff47b-9d47-4750-b469-7ac2c67d7444,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b507e798-b678-42d9-b397-761b9372eff9,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4c69db3-c66a-4bd5-82ad-104ae49dfc1b,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9de45b-6fbf-46f6-9e1f-8a17affa837d,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb4fcb7f-39fd-4eab-a8a5-1ed0666ed476,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb21f4f2-4de6-480f-aa23-0ca0be1c174f,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa166a60-8771-4d65-8038-0b4e4f1d2e05,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d020534-5aa0-4641-b0b8-6f22388a6b62,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e9cc5cc-f255-494d-928e-a7cac9f6d4bd,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7655c7c0-830b-464d-9a76-e45fba09f6b1,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,897b9672-dbe6-4387-b992-4a0398e863ee,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aebd783f-6499-417a-a6be-bf6e94da95a9,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8672a2-36e0-44ce-9472-cdccc952f863,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e972bade-139d-466a-aa67-78c9cc2a4c70,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5946663c-e197-41b5-b9bf-80c390299219,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcfe41a-520a-437a-b38a-990af0f140cc,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e29d1f8-2a10-4485-92ee-d0b9a689932f,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33b6cb14-5b34-4a9c-bb86-5292b646cec6,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2265127-8686-4437-bf2d-e8a219d52b4d,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a059fba-4e57-4318-81d2-1bc50a7072ca,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41ac584b-75dd-4f5a-8831-2c9972a8c1ac,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30a66643-6134-4527-86c8-6b7df5234e9c,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a751c160-f502-48d8-977e-61b8cf720cec,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee6cc86b-5917-4797-9991-21d3b73523b4,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eef09a1-96b8-4bce-b5f6-cf2dbc618b10,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae6ddd2-2b19-41db-8360-b3c2e9cfb491,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4c54b5e-69b8-48a2-a7da-c71ef0cec0e7,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,126780d0-eb44-410e-9535-2e467148912f,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\RMEDINA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d140db38-5695-48e9-9d6d-ee93dfc18a4d,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03841f8e-81f4-48f2-aad4-7977345e53f2,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba137e30-36e3-4bd2-b80a-21bace39b8bc,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f30af07-ff44-4104-a010-c21c921ed5ec,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d313f72-5735-4edf-9847-20ecc8019f07,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b019747-6eec-4992-9dbf-a604b6d238a3,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,824368c6-18bc-4d9f-9fdd-3eb4dfabb781,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,808eb302-23d2-4c5c-befb-e1734744cd0e,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,951cb6fe-8342-4504-bce4-921ee44688ce,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,6e18e966-6080-476f-9bf8-891fc34b85d5,"4/16/2021, 9:32:45.885 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,843d29e2-de86-4198-b8f2-fd12d54f4ef1,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,27188a72-19d3-4285-adc9-bb10dee0fa31,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dd5151f7-57bd-40db-ab39-1879c903f909,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,caa12544-851e-4c9b-bc78-ac7a8d78c517,"4/16/2021, 8:40:08.044 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7c453875-a62b-48d3-94d2-eeafa3328cbf,"4/16/2021, 8:40:09.853 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5144 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,176ecee4-f017-4d6f-9c43-47a4bdbb89d8,"4/16/2021, 8:40:09.853 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a3ac3a2e-83ba-48ee-abb3-a7bb02d59a8d,"4/16/2021, 8:40:09.853 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,23f5ac52-1c6c-4e0f-9e4d-fe3b92b2a597,"4/16/2021, 8:40:09.853 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,26f36a56-6232-4f2b-8ec7-5937aa574e0e,"4/16/2021, 8:40:09.853 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1aaf3146-dcdf-40d3-af39-32d997ced982,"4/16/2021, 8:40:21.503 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,573da621-b77c-49f2-9488-de0541f0ec9f,"4/16/2021, 8:40:21.503 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ae5ff55f-3e38-445d-9138-c02ce21cec25,"4/16/2021, 8:40:21.503 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,33b19935-721d-403f-8bf0-a67a2df91659,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7748 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a096438-497d-411b-b5af-b67c6d423e17,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5876 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,284e1117-d362-41d3-972b-642f25958cfd,"4/16/2021, 8:40:21.503 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e93f8212-e8d0-442f-96ba-cb88d7ded0db,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6328 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af717561-469f-4671-b72c-2d7bed2473bd,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6896 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,11e2766c-42d4-48d7-90f1-642cfc56b98d,"4/16/2021, 8:40:21.503 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d07baee-b298-494b-b57f-9740f2a951cb,"4/16/2021, 8:40:21.503 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46510e6e-b5e9-4e62-9c94-a58ab208df00,"4/16/2021, 8:40:21.503 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d40620b8-ee6b-4b02-b3ee-604c8cf00f32,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba8c4121-ee14-452c-b9cc-38a4d84b696c,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3012c956-7785-49f6-b76c-2784861813c8,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e923bdc-fafb-403c-b5ac-8dbd55278b1c,"4/16/2021, 8:40:24.595 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42e84546-10e8-4701-b96f-7b36489cfc9a,"4/16/2021, 8:40:24.595 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48bb7b85-d2d9-4f2e-992c-36ccb531bc4d,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3dec3f5-717e-4f13-a4ca-45ee4497ed67,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cf5313f-9dc3-43e7-b4cc-ed3098a24f57,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cc9b68a-4f2f-4afe-8215-be9c1f31728f,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,877c5470-4636-47e3-99f0-cfa16166be53,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae27d486-282c-43d1-9a4b-554a2d22f44c,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbd0424c-50ca-4ddc-9b30-dd17b1d7b2ab,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d235e08e-7d0f-44ea-80fd-4c0c795734f6,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b191efa7-1073-44ef-a5ad-c9cb8583afb6,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98803a58-5672-48a2-99b6-0050ebc1c4f5,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c0ca6e7-aed0-4a2f-be11-e391105aa7ae,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb635bb0-bc99-4cb5-b096-fee40c12c3ec,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9025b3c9-b3ba-4932-8c90-cbf1a3703976,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,522062ac-7ef3-4488-beb3-df2ab10f6aa8,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a694d30-0509-4bd8-8bf7-12d921889f80,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6243fb09-2000-4923-b604-f53d0be161e5,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ded2706-6b92-4054-8c60-420c9dfaedc3,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8493842-d697-4141-a025-a067d1d46dee,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db763d77-b76a-4335-be2c-f58890532307,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8944 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e6e7cd6e-7e5b-4b57-8139-97c266be1b6b,"4/16/2021, 8:53:29.590 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7736 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,68ac72e7-2ecc-48b5-b32e-5fbbd55705d6,"4/16/2021, 8:53:29.590 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9b905f4a-0d3e-4232-8f6a-a76421ecfa5a,"4/16/2021, 8:53:29.590 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,78603911-cb16-4c12-9602-1c7ea833fc9e,"4/16/2021, 8:53:29.590 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6b1baa0-e97e-4a1e-b059-1148478bb946,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,866f93a2-2ec7-4fba-af3b-ff10a403edb7,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,050f9495-b441-4592-bee2-1850eb0d418d,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f4120b5-52cf-482b-88b8-e45ac6c9528d,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e3eca58-2169-4053-9aeb-1a31d328ca69,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e001b5ad-72e9-478a-98af-949a7ff3f30d,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f645c6fd-17a1-46b4-95b3-7803c9ca5096,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,38faf047-f356-4393-97e0-a16f786f9adc,"4/16/2021, 8:56:55.111 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8388 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee3d342a-f5da-483d-9366-0bdb763e92dd,"4/16/2021, 8:56:55.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87defba1-acd8-4339-a5a2-43df3c2a89d2,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2900c61c-25eb-4287-b632-b32dee2d20ba,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a068eee1-5ff2-41a5-aa12-13923db36191,"4/16/2021, 8:56:55.111 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bcca165-61fa-488e-b3ad-136d35cf1ad4,"4/16/2021, 8:56:55.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c64b8e04-63ab-4197-8fc9-de0592021d9e,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf5edd0-e2e9-4872-9115-48b1675eaf70,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7e0d907-48f9-48af-9a3b-c435fbca9c7b,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8117c408-3172-4712-a12d-f1e78e0f3103,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa7e2304-ab3a-43c5-b27e-4ae6195c2f86,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bccefe94-2277-42e1-bc14-628f2dc697ad,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02bdacec-291f-4b2b-a4ee-e6da44189560,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ee2e10b-6d52-4104-a639-0c8b48532d2f,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d95bc9b-1f8f-4363-85ff-8c56b9bfe261,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,281700d0-6dad-476d-bb02-fa544cc40e43,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deb26d23-25ee-4b6c-81b8-187ebf8d2d88,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4847ea0a-bddd-4c83-95f2-b31c9e1a7392,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d4d61da-87c0-4274-ac51-80d1c740da5e,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,688efc1c-5e74-4b7c-9cd2-1e0b764e999d,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d84bdae2-53da-44c2-8181-1f65872aed1e,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46ae65ff-8920-452b-98ea-03cc8f9a0d12,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b04ec409-254e-4146-a89b-60546cddefb0,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a4aedab-1460-4430-ba5c-689ee00b3fc2,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce3760b6-4eea-4f02-b13b-9012f81cda06,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34401770-2bb3-45c0-8723-ded52bcad9a1,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab9dd68a-d928-4154-8a7e-6cd375393259,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c05d62a-d0e3-422d-aad5-7018182a298c,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,212e8535-ac04-48f7-a2f2-2d56ebf1f9ab,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87c27290-dee2-414b-b88e-25c2fd51acd0,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11989094-3a58-441f-97cc-ee18a0425331,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a5059ee-1236-4c4f-af47-6e5fa6f30ba6,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24feb2de-f6e4-4d58-bc28-da23b8729587,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd0fa1f-d737-4722-8d5b-ab6d496340f1,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\OVB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1292f52c-a9d2-4f11-a0a9-587508efe8fe,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5af40926-0a41-4c85-83b1-1535ce30d235,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b51711a4-6d34-4038-8d4b-ae485b08d13e,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0437495c-6367-4293-b7fb-8a0a7e7c5d9c,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be95af80-9d9c-45e9-a3d6-9ac99acd7fbc,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,825f65c8-f239-473f-9a37-8a2eac34c5bb,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55e078d0-fdef-4fff-bcba-33e5e95649b4,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a9c4d98-c868-49b0-bacc-c47069248844,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,031e8c57-f781-4c3e-bf94-d80a9a101b35,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e9a3ca-a476-4aa2-abed-97bfcab68f8f,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b00a882b-b47e-4540-b3b6-f7d5da63aadf,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3012916-f687-46f9-a577-679c4aeed41f,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ebd881d-4981-426b-b242-46a355029d93,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5576d926-1f86-44e1-a084-c421f1a1f411,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79a7ba66-8be9-4ab7-9bc3-588330135bbe,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04d8cc27-9266-4add-a196-e2ebac3150a0,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ef81a5e-b8d3-43da-bd72-6ca03d7471fc,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbd8b441-8161-4ac7-a418-b0c8a86f0838,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf7a315-9ac0-4b69-ae8d-95596d6ef87a,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,850ae4b7-b543-45f4-b00a-df8f26324c60,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b108c6a-84c2-4c5f-9682-9ba34d6295da,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8750029-47b2-4172-99e1-5530a1512b2e,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b861b5-3c58-4abd-91db-8b30b499c0d3,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1975fe28-c703-4b89-8b06-4e38ae9a110b,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36c2181-c188-434c-8ceb-d524f2eb6048,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f7f2f40-4547-4c31-a5f6-620b8f09a9b1,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ace22db-4c54-47fc-9d12-18f653b5bb2d,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,5e1829e9-f233-47ea-973e-458e8f688dd0,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dcb93d87-4cdb-44c6-a001-ea3e4a3f6e31,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5132 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,23e9433f-2f0f-4f5d-9825-d2fd14558721,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b29ab16d-fb14-4127-bc44-a3f18942f0ec,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e4b3543-9123-4526-ab52-29285a216020,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,565bd2ff-fd54-4844-aa09-650d4ffdeb52,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8668 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d676bf6-e517-45c2-bc1e-463c722fa748,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10624 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e2bde169-d320-45bc-83d8-f7f5beea049d,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,93d2249c-977e-4dc2-8aaa-8c05adce3094,"4/16/2021, 8:47:26.542 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,398e9cf4-1d76-4bbf-b844-dde545b7f3a8,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6764852f-8962-4adf-b15c-b8df3e677f31,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc52913-565b-4ab6-8864-ea519f0228bf,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c04648-6ad0-47e7-a6ac-38b72d19a6e8,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa5d50f7-a523-46f0-bbaa-8e2e7cd18f58,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baaab09a-d2ee-4383-83ef-b98930c262c4,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c6fbe1-55f7-4e80-b2c9-41ba54ee2ddb,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,203308a4-1eef-4148-9969-06b17def515b,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b655f240-1139-41af-9f92-212ccf24675f,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54a3a4ef-a5ee-4ed5-8d4d-27d419ae9fd4,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e649f8d-62e5-4ef0-abbe-8fc2f1bfc362,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1722d236-a3b0-4ee6-83d7-18665adb6400,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,771ef88f-3f9e-4281-a022-569423bd7bcd,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02dfdc65-e972-4dac-bf89-d6efc40a6045,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5378c4-4510-45b9-ae97-c35f7bdb650a,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6711e0d3-e085-4663-bc42-40bd9a0fb688,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccc624e0-8005-430c-ae94-c7427148dbf3,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,543306e0-a669-477d-93ab-ed9a5d8952f1,"4/16/2021, 8:47:32.102 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2325437f-2664-45bd-9a16-6002904069eb,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c491e0d-ce6d-428d-ad24-f3a4dea89f7c,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c43774fa-3205-4069-9371-3599727b6e02,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37749456-607d-4b46-9a9a-ad3495f6e576,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,590f1f96-507f-4287-8ebb-920d9cd5c4f7,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0cc3eb7-313c-4931-9b7c-39e7ab7518f1,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2780942-fda0-482a-87b7-d5aff154f605,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7e1266bd-493b-42ad-a550-984837149e03,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6861ba6b-46bf-4d3a-8446-db96c6483485,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f00fc198-d6de-4c3b-89a8-c0bfad20bc32,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,db1c63c2-05a9-41b9-bba5-641c6fa78bd0,"4/16/2021, 8:47:36.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d8ca3cf0-2e31-4d6c-8e1f-e2a53fdf3b23,"4/16/2021, 8:47:36.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,0d94d564-cec3-4b92-8ab3-c0f4ca13032e,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3beeee42-3bcd-4031-8b55-54b7996b524c,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,db442ef3-7016-447e-b1a5-fc4b70570e4f,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6598c8df-d7d0-41b1-9506-aebd98774f52,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f3d9ae61-8b3b-4635-8638-89f0de2ead3c,"4/16/2021, 8:47:36.048 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f82dadb-6759-428b-bf42-b901f3e381ad,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98358e78-eac5-46e1-a416-75389de8e841,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4ffdf7d-0e58-44ee-a5e8-7403be0ed5cf,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbaa3a82-dd34-4157-bd07-889f7cf2ccc1,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50512757-b0cb-41b8-9a55-b708915013a6,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d23cb331-880c-4c38-bb23-2318b558fc21,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a40956-cc92-4bdc-8aeb-ba79d9954239,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c646123-3e9f-4fa1-b577-c53b917fe166,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5044f9cb-8aad-4d6d-b51c-a1cc3f24779b,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0766c470-5f73-46f0-8749-2b1d24a644de,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c9f15a1-1845-4cb0-a989-36e5369e10fc,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a090b99-15cd-44c5-add4-7aebc9fbd22b,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40240c08-a269-4d56-bf2c-1df9581696a7,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c20f23c-c49f-4c8f-894c-96f6c0656f1d,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c9a63b-82b3-4c89-8e40-eda62461417d,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4720b425-f64a-43d6-bd6b-843eafa455c1,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb34b078-8bc3-4562-8c99-a8129a5cf983,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d1660a-5bd2-48e6-85e1-54daf2b8eb19,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2507cd98-c8b2-4aa5-abdb-ea8ba2d75031,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd15312-990b-49b4-af03-88d85c81dfb3,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb0a4ce5-27f1-4612-9a24-3da218ef40d7,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1e9f00-b19a-4cc5-af36-693fc8c35855,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14102481-2184-4fb4-be06-18692a419a51,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7511156-d712-4c10-a1da-1e2d38f6a9ec,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbb9144-87eb-4d98-b721-0b9121fc302a,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c1d3223-12b2-4ac3-bd8c-7bbe37ebc78a,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,165ec5ce-0db8-42e4-aa25-eb8e1eb8cb87,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3592264-a938-473d-9332-e477c0df6593,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdb2b9b9-0cf2-42c6-a9b9-abc14f5f4564,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52bc2ee8-3578-4f54-b467-602bed26f7dd,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3801ed9e-4e84-4704-8179-97ca2de5f006,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e06e98c7-8da3-46ce-88cc-07e23f767302,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,973adf3a-e751-40ae-99e7-b11b6e84f02a,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b5c7ce1-a843-422c-9ead-dd1f1ffb0b8d,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fcb4e1f-5c45-4528-b89e-7792877fc479,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff08ab83-aed2-4638-95e4-6f3d8e351b9e,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29c8cacd-5c8b-44dd-a50f-b41b65a38a30,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91dae080-9c11-402d-8e12-6ea3241d5971,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f165cfc1-5db7-4b0a-be12-c9ca67b738f8,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb30f75-b7c6-40f5-8c6c-8516c030c17c,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1b931d0-23d3-4654-a876-2e7f3e9d5cd2,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,998fa223-8428-4cec-ad3c-8fea76572f11,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c0362e4-6216-4af3-81a3-6880c43100db,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fb5c1da-53ad-4c20-abcd-14797b692a66,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6412fd8a-b2df-44ca-8213-43642e7cf1c2,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f156d13-80c1-4a85-b917-43dca2ce6e93,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f9fef6-0316-4e1a-b95d-f3e7dbe84072,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a13df46-018c-47d7-9745-8df4a102fbf9,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,363e1784-5d85-479b-b0b8-f1ec5f84be88,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cb70724-1bb8-4bc2-9696-3b012375dfd2,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c38d4b3c-451c-4a28-9801-fc94fc7b9d1b,"4/16/2021, 8:40:31.859 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cc25e30b-c95f-4ec5-a94a-29e6a1cebd89,"4/16/2021, 8:40:31.859 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24150234 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5b3d6a30-d5fa-451d-be05-e6168d911201,"4/16/2021, 8:40:31.859 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2e7d0a75-7177-4027-ad51-109b83f176ce,"4/16/2021, 8:40:31.859 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,df6ac821-24cd-4a8c-98e1-2738936f05d9,"4/16/2021, 8:40:31.859 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,733f12cc-7fc3-4fd4-ad5a-9dffe5b06fe0,"4/16/2021, 8:40:31.859 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c02e2e6-06cb-4ef2-aa27-a584f981bdbe,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a298ca66-2643-45ac-b074-5c5b22a5bd44,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11e10bdb-e6e4-43cf-a1e6-1d45076faf49,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8265c387-1c1e-429a-a04b-b73296efdac3,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f939227-8dd0-43e7-b2c9-1984afbb9e54,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a71123a-b3a8-4e91-9a57-905c66ded362,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235385f6-ab88-40a2-99bd-2eb18642505c,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7fa0dd-b4f5-403a-bc4a-6da92f1991d4,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539e887f-eef4-4e35-a373-5332d014a34f,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,162428ba-3a9c-459c-be58-14339952366a,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6308470e-d62c-49e9-97a6-7501d755609c,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72b49dcd-34a7-41b7-8fb2-c93f65c11efd,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cf6a1a8-730e-4ce9-a3d9-3adf5762e946,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2dca2be-d53e-4afe-8c1b-859093bc725f,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b021b21-1e6d-47d9-b8ec-2bbbc8e58894,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71cfe2cb-d757-4699-8793-ecf3ec8848f3,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6d5edc-4145-4dc1-8c65-81b649789f7f,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff3cf123-ba23-4f70-bbe4-307ea5126723,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54c95a5d-8541-4b57-99e1-321a6e2578f4,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad90091b-4e16-46fa-9a57-35ecb03841de,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c9c6c9b-2324-490f-ada3-38814642cbd9,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,081e4c99-4fce-4c0b-8389-4b460b898ce5,"4/16/2021, 8:40:32.109 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffab43a1-229e-44a9-bc2d-c9c0d5825a3a,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60beab1e-42b7-4bf5-8dca-6ec173c064c7,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ebd5505-afb5-4431-8b77-575b6f88ee30,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d2b961-b3b2-4a95-831f-de84574f6223,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53c9b77f-d6b5-4f30-867d-fa57c57eadab,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e161f6f-86b7-4996-b846-b0d6f2d7b626,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27afd389-176e-441c-8433-a650d6cd7ddb,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2cb69ff6-7c44-4176-a105-66803e7767f3,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1e7e368-59fe-498b-bf1b-bf88d8a6b127,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1375a39f-5241-4ad4-97c5-4e459e1a3b03,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4313da85-ee8a-4a80-a9fc-cb1cbda97fdc,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b74cf399-9140-4f4b-8292-6de762b1f88f,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e5d07e7-61a6-4812-861a-60c8964286fa,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bc4fe37-ac38-40e1-9e5f-1d94f6945ec8,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11024 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5548bd8c-dbe4-4235-a9c0-92faacae1258,"4/16/2021, 8:56:57.075 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3775d347-3c28-42b8-998e-a0e7a10abad0,"4/16/2021, 8:56:57.075 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,626e6b07-c493-44fb-9b2e-5cdb4bd47eed,"4/16/2021, 8:47:40.433 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1f49611c-535b-4f1a-ac34-fabf157a7168,"4/16/2021, 8:47:40.433 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,993ec157-4bb9-4d65-b6e1-eae766d80ccb,"4/16/2021, 8:47:40.433 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ac5c2dae-944b-4db5-bbfd-57268bdec267,"4/16/2021, 8:47:40.433 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5472 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,056ad3df-527e-4597-8fc2-f978da13fe9a,"4/16/2021, 8:47:40.433 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,90b48916-e17e-47f0-8ab0-e04bb572e7e5,"4/16/2021, 8:47:40.433 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ae00bbd-a6b6-4454-b3a5-7f4b4c1a1aea,"4/16/2021, 8:47:40.433 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d86b67f6-ee59-461b-9e90-9a19f05c7f6c,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6022991f-6897-4b08-aa49-eb832ca31c23,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32eca8bc-f2a8-4d3f-8769-3397fa611273,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8c12091-f489-4da2-991c-27ff1d7d668a,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95e6e503-62c4-4f12-bc0e-5871b50b8264,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,155bddf9-9e1c-44a7-a6ed-fd07baddd153,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c5093f5-c04b-48fb-adac-03692e4e6364,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e201b7-abd6-4a59-9254-5c55873ff8df,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47317468-7a5f-470a-8019-5fdbb8c2a35a,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c2f0cfc-33ed-49be-bc47-06263209f7ca,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f2912d-6271-498d-9b9b-0469d03c35f6,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b3985c2-03cd-445c-8ff4-e477b6ca404b,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,2577abd1-7331-4447-8364-41abe8ee61d8,"4/16/2021, 8:53:35.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f3b76e8-4690-4d93-85ca-8b122ba28c20,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5150380-9fdc-45f2-a161-791eff0a4c80,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8df830b-b1dd-4cc9-b083-f4aa7e476d26,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89a4e8cb-f128-4aa0-84ba-ca650703ad8c,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fab8c996-f236-4a73-b6e0-dfe2aa1f7b4d,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e921bb3e-6269-4c86-aec4-b628d5392c3d,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d9f9d5-48c8-4019-a7ce-e3b42c7a2601,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,939d9823-608c-4a29-94b4-048258d85e9b,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b9ec1f2-c915-4dc7-ba72-9bcb8301215c,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc586349-78d5-40d0-b9ec-834ed42cc315,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d72e151-fc5c-4275-91bb-6fd5c92cdf05,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,74ff14de-b37c-451e-81ae-157b54a3562f,"4/16/2021, 8:47:44.855 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,994ca9ad-a101-4959-89b4-3656c1e76bce,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d8fd35c-e20b-4a29-8595-2b4e314accac,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9e7ba1e-ab05-45df-8ed0-60fe173ed097,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5c70b57-dacb-41ab-870a-6b6bd29e8cfb,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,431dd281-247c-443b-9718-249df5fbc14f,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8aa7bd15-2d72-4f42-9fb8-88439b758522,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc31b73e-34e5-4785-b2ca-91c0e66ac809,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdcb394d-c61d-472a-b0de-1667a8832df9,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\SCANS3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50ae81ae-33fd-431c-aad8-87ed8609d794,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8d827d9-8927-4088-b26b-43ee34f3f303,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edb1a09b-5f0a-4e9b-9085-dc470f4a75c8,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57c17aed-6564-4364-9aa7-b198d0907d90,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f598c61-50e4-4e0e-9d06-2f3bacf83a30,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f61be22-d49b-4ce8-a0c8-39a0fcf9d496,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02d29881-9392-462f-a94f-b3aa03dd396d,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,097d5fe5-3867-44df-8c11-4614fd102487,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\HP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52efed91-d6ba-43c2-98c4-4adfd870b05a,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec904bdc-cc29-4306-a988-060451e654dc,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af899646-773a-447f-aad0-f986d01bfcff,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeac8c5d-29c0-4d1a-b442-d0528d791598,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1f54553-38a5-4481-9ea6-39ae27a44659,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c901c783-d79f-450e-853a-18557e853b6a,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7721e736-be60-4b07-b7b5-af8aaadee5fc,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57b00e4a-37cb-44d2-a1ce-70f7d745f7db,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abda2a60-8f9c-4189-b224-9b628573743c,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20148bc7-3bcb-4404-83d9-45ce7f52edfd,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed34d636-2fed-442d-acb4-9e6802a0d125,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be2b3aa-bc41-488d-b0ac-0fc5251ecb9b,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bc5ac8b-bfa1-4e59-a397-b2794574aa38,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a28a74-9556-4ed2-8c2e-e2bf023c6c8b,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63f35d2d-65d8-43c8-b469-68987ddd86b4,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c788981f-f1e9-407e-9f57-8d83ac996124,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83a76fba-abea-4fd8-b9a2-86188fa4e252,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,794c9d92-f8a4-4685-8db9-fe4f12f1bb40,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42fad4f0-2c93-414e-b547-0b5dad65a0c2,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af0e236-6fad-4c8c-bdd8-6d43627a7403,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51747cbe-506c-4158-a802-647d1dd249ce,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8defc1db-2462-4dc3-b93e-45d3f22dc175,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda984d6-6d0d-40c8-bb06-bcbb75963c36,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d90546ef-5ee7-4d97-a469-b2e3887ec085,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46e5fc9b-3025-4e34-bb3a-50f264fbd62a,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95e65abc-102d-4e8f-8ddb-e7ede377f20f,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,613571b6-e584-4998-b49d-9194d6af71b7,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dff85a8-8591-4e64-9be2-5e8d3cc1122d,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,001908b8-4798-49d3-a53f-4917d525816c,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d473016-ca25-4681-8a47-489c7908df8d,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8dca4a0d-8d02-498d-b669-89451048acd9,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,702b38ac-0f75-4cea-b106-a0537cc393d5,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a920935-46da-4262-a559-5b4cabfbfdf9,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebfb83bf-8c5d-4f72-981a-d142d51be432,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a3bf484-af81-442b-a01f-d6de8fc91e4b,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f93d541f-d682-48e8-a73d-e3b9f9856255,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1ceddab-61aa-4f89-8c59-b6483a945e9b,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b27aa5b-ce6f-49d1-8cb0-f0deac091466,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eaea7c3-a7bb-48ae-a1fb-b21757b0b615,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0914bf7-1016-4308-b89c-c0a8bd485b92,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50346d04-d2e4-4f0c-97e7-5f6e53209bc9,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5afaff9-2c4f-4983-abaa-e807986edc75,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43cbdca4-e4a1-4b11-a13d-d58607958f8e,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ec71af9-dfb0-473b-a561-c1596c36296d,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be37c22e-db89-4180-b789-04ad3d233d04,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10d20c9a-a7d5-43ec-a95b-f6cecc65145b,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26827ad-d3b1-4d8b-9bf0-c7b81af3bc24,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,984026e5-5c2a-4413-9c63-6c02be26a051,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91aa4ddd-f38a-405a-9f92-9941899f3f1b,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36533584-ec09-4777-adb1-ac930f141e2f,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff3cb93a-f78a-4a65-98fb-22f7201076da,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad2bd238-f5ab-4300-94ad-4708830cf2c7,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a64c51c4-31c5-4aba-90fe-944dcfbf9251,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61f65871-b03a-4ec6-8a7b-f318114dcb58,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53cc3527-54ea-4179-b95d-ca44b801fa62,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b09268b9-cb1c-402f-a971-1027b8d98c64,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f886d62f-8cb8-44d8-ad2e-63b27448de8a,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,595a5c5a-fb68-45c2-b8e2-822ef7b45e3e,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76f9acf7-31b7-41bf-b603-ffe61e08af14,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a5b32a2-edba-426f-8a9e-abfbb01c4458,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552bb68f-c678-4f86-91c6-c4b125fbffe5,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,932e2b44-1904-4038-867c-9f9f70953ae5,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,063672af-2770-41b3-b125-f15551c7f757,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,397b8e5b-4c11-40be-812d-f8aa53810758,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9560 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab0edae8-71f7-40de-8341-b7b231c40a4a,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebef8431-1de7-4bab-a617-f0052c737480,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2176 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ce0b02c-fccd-4af1-b464-4d32743ded7a,"4/16/2021, 8:40:39.556 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5354c8c4-a8e4-4eda-9374-48f209efb5bc,"4/16/2021, 8:40:39.556 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5b5b4eef-f09d-4ff1-9525-98097c51374c,"4/16/2021, 8:40:39.556 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6eeef678-db06-428e-a98d-ebfe764e4aa8,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6148 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e809a28-9e57-4d60-9dab-b2045812cccc,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8492 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,06dc9732-ca03-4879-89bd-79b50a67bdcf,"4/16/2021, 8:40:41.980 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10692 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,40f0a43c-426d-4e69-8520-0687dd1f8d39,"4/16/2021, 8:40:41.980 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9104 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1456805b-af83-4bcb-bdfa-315d5eb44340,"4/16/2021, 8:40:41.980 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5484 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f0e10e62-d776-4750-a1ed-b763523d1bfe,"4/16/2021, 8:40:41.980 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4f829974-09a0-4fe3-82bc-e10a170600b1,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,798b1766-862d-4731-9d7e-4c1c7bb01688,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78371ccb-6867-425f-ad22-707ceb2fc04f,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ac1e930b-d09c-4a15-9b9d-8cead56138ad,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b4e8286-5491-4eea-a9af-2cd331b62829,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41dd4a79-a965-4663-81db-c501f0f24424,"4/16/2021, 8:40:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,08ccbabd-d124-4fd5-970f-79187cc7c0cd,"4/16/2021, 8:40:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ef4414b4-ab74-4e74-be0e-dc45e3b8a8d2,"4/16/2021, 8:40:43.061 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46700572-e7d7-4934-b240-85d242cf9c1d,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd7b2199-36bf-4e56-99d3-81b4f551595c,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdba5f5c-58c6-47cf-be72-af22811f4a18,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07b6097-45bc-4aac-b4a7-245b694dab7c,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5503b8be-2444-4a13-8fab-7a9f984f88b8,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f67fc3e2-163f-4658-abae-ad372945f91f,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07ed9a8f-a6a9-4e42-be3a-cbd339d46225,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58daea5-49dd-4d34-aba8-25574e63af1d,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50e058fe-acf1-4e18-873f-c193eb8dcf51,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5edd83af-fb57-424a-b43b-9c969ad3c92e,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08e84a18-f73c-44d9-ba4e-6a31ae6c8065,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19c96179-e593-45fe-9716-9475cd0c3367,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e20c244d-c26f-4456-aaff-20ca26bda5e9,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dd1f46f-74f6-4dbc-bacc-116ea10b8c2e,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,784a54d3-d694-45af-ba27-5c977d1be147,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01ee5f6a-9bdb-4ed0-a71b-00d260d43f76,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fec4b0a2-27df-4705-8b54-5931358c9cf9,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9237f21a-4f9e-4682-ada6-97a5d3e8331b,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e55457ad-0738-4506-b828-bcedac23e14a,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88117cb3-6f73-4c5f-adea-7ebb844f09ba,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9a9d5b0-216f-4c3c-a6f3-668e323f051a,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47034714-0b2b-4e59-bc8c-65ca4f3e7581,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,341ac40d-5304-4de8-ad1a-b790ff2ff1b8,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f3832f6-a042-48a7-b2c2-06ad2c4e963c,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0566128e-3ffd-465f-8481-424f986d6ee2,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c03c75e3-948e-42cb-9277-834e7fc85b1d,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81f2caaf-6dea-456e-9fe4-667a955da74b,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4555d2eb-fb2b-412c-865b-6a44865d545c,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4460cfa4-f8cf-448a-b699-1a9a05386e32,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ade7f19-89a8-4fbb-ae78-1c481a43824a,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc1b5f5-5e1e-4ecd-8ce3-3dbc3847769f,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10572 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,55b504e8-cb66-4415-aab3-1cafe88d2c1d,"4/16/2021, 8:47:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d572cbe0-b085-45f7-b8cc-33c457b4a61e,"4/16/2021, 8:47:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12452 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f80941eb-d4ed-4f46-a707-ab5f678dc10c,"4/16/2021, 8:53:33.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15084 + 23 + %SYSTEM32%\SGRMLPAC.EXE + 32 + 884A078F302053019A3FE11B1C2BAE826C6B1600D3542A8C0FA4511FE88C0320 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SGRMLPAC.EXE\10.0.18362.01 + 0x3e7 + 32 + C:\windows\system32\SgrmLpac.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a45ac430-1360-4d29-adcd-299dd6f30f85,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9e172241-3208-4008-9193-4428b35f88f0,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,939b0f74-faeb-451c-bd91-f7d776e5b9b6,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,67071b0a-7629-48c8-9ecc-e54b521342ba,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fcf3eb29-058e-41e9-987a-0f78280a57cd,"4/16/2021, 8:53:33.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6180 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,62da381e-2ecc-4f70-ba6a-6c5f1b291dd0,"4/16/2021, 8:53:33.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4220 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e2a92efc-9d83-4a60-a7dc-5f3f080196fb,"4/16/2021, 8:53:33.862 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a78758dc-33c3-40a8-8228-50e033b29098,"4/16/2021, 8:53:33.862 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bc24228-5217-4b2d-a1e3-935f52d4507b,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82cca7d0-0829-4037-a8e9-de43359e5335,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,784d65c6-2917-4c33-a1ef-4a77599f2f28,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48512a81-fd52-4011-85b7-283b907c459d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2362120e-0a7e-46b4-be55-e5941fba1cb2,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f24ebe64-dc27-426e-b785-2dd039bebb23,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3113ab9-d6af-4a00-b903-c22f35e856f5,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847c33e1-1c9c-4a8c-8a6a-82588e97a27b,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dee5b353-1c7d-4f2f-84a8-9ce08d74565b,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,194030f9-d00f-4e0e-9ad1-40892df6d05a,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b936940-0041-458d-9b37-5f170eafc573,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8cc461-0945-47ed-9c53-d6be2edfa909,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab181292-6bf1-4771-b6fd-14c5f33da407,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eacc18d-1822-45af-836b-7355bccf257d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af307bba-5103-42d0-97e1-262bd0ea1c48,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5552e5fc-aa9e-456b-b688-f36f3f24e343,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ceb3ccd-38e3-40c3-a71b-3352c975f276,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbb4a55-4d4b-440b-870d-9ead0cfcae9d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81870ee4-7bb7-4777-b36e-49280918fe4d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2787ac67-81ae-4b1b-9f05-cec6784de820,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0895ae37-1724-414a-aeec-cd16280d2b37,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,461d98ba-bd7d-4e46-a75f-399664d833bd,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25fcd4af-5fd1-4b9f-a7ee-334dacd3f2ca,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e45ef453-c8db-4627-8ab9-b18fd2ac6051,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,430c4724-2d61-4764-b847-5d30d3d99c76,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d966ad-b215-4f28-9620-0435cf2f5e70,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b9be3c1-c5bb-47f0-8760-3d56cb14e341,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad1b182-1fba-47a1-a11e-381980f8fbb1,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,256ca04a-bb1c-4370-9af5-e7f63fa43ea1,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88bcb7db-4432-488b-bd46-6edb4909cb8b,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56382218-30a4-4180-9da6-99c3fee55861,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad8cf4f6-5a73-43a6-8e8d-1f06e3d5c7fa,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43ab72db-08e4-435a-97a8-c39882788cda,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b837615b-7a8d-429a-816b-7eb54e44f4f7,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8592afc2-011f-4a5a-85bd-814bbc6732c7,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,585f182c-2e68-45bf-bad3-76af6afd5a0f,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b84da924-6ff8-45fa-8aef-e2712f1c7b44,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2b2d93f-9e9b-41d2-9f01-d59e1ce345b8,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3613ae30-88ae-4535-a8c5-4aa220228b05,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e762ac-e169-486f-8678-3a1b1c2aed74,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5710345f-9af7-4202-a1f8-cbe4f7edea3f,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0cbe5e7-bf13-440e-8b05-8bdc6e8a2ef0,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\TEST1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20fd1e3e-8ddd-4ff8-a10e-3b08561930c0,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12f7ad7-4e93-4186-9641-95c444407226,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,103b141a-06bf-4e1b-ae14-a68a3bf61173,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5055f2f-9a46-4348-bdcf-61de95b7b4ed,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6924 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,baeac26d-7aae-4a1e-93bf-0c62f69a7cc3,"4/16/2021, 8:47:52.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,71631c21-71d8-4b26-a3c6-843aa77ef86c,"4/16/2021, 8:47:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,34fb7350-2ac9-40d2-9a1a-10c1c5d947a3,"4/16/2021, 8:47:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf0ffd00-7539-4e57-96d0-01a75495c92d,"4/16/2021, 8:47:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a1fce91e-a45d-4d5f-bf97-04efe3c4397a,"4/16/2021, 8:47:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,860d0d07-eba7-4c40-8475-97646dd7124e,"4/16/2021, 8:47:52.741 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2c082b5-31e7-4507-a89c-e0afca1489c6,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7315b3f-3b1e-4c3d-a24a-ca2f12344a42,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e00b355b-b417-4c04-b3d1-a558dee18acc,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de12818a-0635-4fa5-acbf-e63285efcb89,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b4bbfa-5d6d-4f45-a3ba-b9515b0d0bab,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d215aa46-305d-479f-a5bb-059e524c6e4d,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5f994c9-bbcd-401b-bb93-63bc9615d1b6,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32be6d3-7fe8-450d-bdf4-78b2e7bf4bef,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58be95df-84b5-434c-8a4c-73c783a51575,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2322a28-bf88-4cf3-83fd-cebd68baf703,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03bd4519-aee2-464f-ac4b-efdc97a27e0f,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf08767-9a19-4966-a664-36eaa58c0a68,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb13bb7-fb82-4140-8184-6a24017d8b0f,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46966370-5ed8-4221-97b9-fcad2aca5a27,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1174d3a9-a40d-4764-9929-ce5c0c4e2433,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edc45436-b2e5-419f-919d-449291241c13,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7218a50-6324-4359-adf8-24e0f9d7ae42,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee12d4cb-da21-4c83-834f-d8b225131bb3,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59a1f513-d5de-46a6-a2d5-04fec67a7681,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8f0c052-3d63-4e55-9194-5f9f7a4deb42,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc855300-8d76-4a2b-9d3e-1b98132e2ae5,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b19cbb5-271f-487c-a76a-6688223583c0,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4496 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4e26dc28-c044-4192-a2e0-d77db3540d2b,"4/16/2021, 8:47:56.986 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e20f1e54-9d4e-4898-9012-a6e0b0806c83,"4/16/2021, 8:47:56.986 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dabea4fb-8d32-40c2-88ab-0cfb959e7ddf,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86296c37-7264-4504-9d2a-da7745be4e49,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa15548-3ae6-426b-9a5c-8dda84cbb6f8,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,564ad671-d59a-4d20-8539-1b364837f829,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e0dda6-1098-4168-84de-ca9202e614fa,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c99e8a18-fb76-4bcb-8c57-bf3272ded2fd,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3581fac-7a14-4cde-a15a-e9be8c024816,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79967c56-760f-4f7f-a4d1-8dedf05d577f,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70ace9f1-fcb1-4d00-bd39-6cbe6638914c,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a730ba9d-9c1f-40e4-9f4e-6921a290a552,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,871bfb69-dbeb-4e78-b6de-bb953240f474,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bd18908-9f0e-4719-8833-86d0aac2b580,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4f647d-2ec6-4e2b-b055-865aed469000,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d3c57e-3ccd-44a7-aa9a-6e4b681a3e4e,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b24239-800b-45ad-88ca-88178a0bd693,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af0e1274-8ea0-4660-bb9b-959715ae7d83,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ACC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dffe4243-776f-46a2-a89f-b5d9ae502f7a,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0efceb56-1af9-4075-ad29-398be6ad60e6,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0b2d762-921b-4a8d-92bf-d3fbbdaa7dc8,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9556d59-9dae-4a9a-af83-613466d8acce,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a55f091-8f76-4bc1-ae05-7e4a84460773,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b41c3b96-d3d1-4aff-8d8a-16c914c5fea3,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,752e47c1-fdd1-43b7-8a00-2686ddfbf250,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70ba7392-6691-4791-bf96-0d9050c6bc07,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f810b61-4548-4d46-9d90-27ed7e9dac77,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d96a2f5-d1b1-413d-8e6d-4d5baaf3e499,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09962384-9e9f-467f-aa2c-763eb4ac2769,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7903d5e4-4413-4c2b-b6eb-c056f95d170c,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b9e02c3-00ec-4f9e-8427-dc0865ddb457,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81086513-06f2-4f36-912e-b42841bba9ab,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2cc3d3c-f3a0-413f-b8cc-6093f9c5061d,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c0e066f-165b-4d05-ae53-4e5922785ecb,"4/16/2021, 8:48:03.620 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f79490d5-b87f-488b-bee2-1241adda7b73,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\AAHZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2771e2f-5427-4ef0-b2db-56aea363fb5e,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0487c74f-f781-4771-8439-f900dfc057fd,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74fbefdd-984c-4290-a1fe-2d905aacbc81,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,931629bb-7c3c-4190-9d0c-abc0aee973dc,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,562addbc-df19-4d90-96ea-ac6988fa2f8f,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d21ec3e3-a667-4ba7-bcdd-8622cf5b51fc,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c5ad168-97fc-4627-8cc3-97824122e0d7,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddf9fcd6-3b54-4e65-8abe-84c52545cd47,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abf3338d-54e3-438c-a391-53b79d6c4167,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9839e658-09fa-402c-90b7-8619d7aab8ae,"4/16/2021, 8:48:03.620 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0373ce3d-3045-40f8-b6ab-9a91bd213c6c,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf2cd56f-14a9-4d61-bab1-63ea6658ba98,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8dcaa1e-a9f3-48b2-8a95-a54dbca8f921,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,613f3098-4e32-4866-9033-41b776ff7f33,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a3271407-3cb5-49ea-81c4-12c7ab1612c1,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,65b8b11c-a0de-45c1-8045-8155ec9f4070,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c5e7d413-edc3-4d63-bbd7-b7702d6e0351,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3f81bf2a-c3a9-4974-8662-0d1281daf226,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e864be67-d6aa-42af-93de-4751c83660e7,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2faa7a19-e96f-4245-9860-363c811f0f28,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5cc71232-5159-41ad-b61b-cde08688e198,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2f764024-c080-42b5-bdda-59ee5239d72a,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6e2d966e-27c8-459d-a175-7144f201d662,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,91819802-a251-4135-9ff6-639978e6732e,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dd08a43a-340c-4eb8-9b02-98fa6ae57a7d,"4/16/2021, 9:05:16.078 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216ade6c-018d-4097-8154-eb1770c384d2,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5877a3dc-f596-43cd-890b-9db3ca88bde6,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88366b6f-a2bc-4eb9-9bfa-9e771e494bf7,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8533d109-e1bb-429a-a21b-5f7fc8951cd6,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,677eea7b-84af-4042-b72e-4abe4af1fcb4,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5db633f-eda6-48a5-ae80-777b1771484a,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d63ca7-dedd-4f5d-ae38-ec0dd071f91c,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a34fd22-2904-4832-9b3b-1c13a5bf97a7,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d541c30-8391-4c75-849d-0b31c24478df,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00f2f6b0-5b6c-4d98-994a-d2c15ceb98d5,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c93b79a0-a7ef-418a-829e-971212fad2b0,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d4539f-ac85-4a73-85ee-9b4a83f26696,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4934f63-417d-414e-a55d-24a5b3eda3d1,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68bda1c9-9e6e-4cd5-b801-f21d7e5a9e77,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ab91f5-6461-4459-bfb1-9093e4e15983,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2921373e-e83f-44ea-8d2f-80aab36e1544,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f27469d6-fbc4-4dc6-9929-f0a9e1dcd4a2,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85bdd42a-851f-4fc8-8673-168ea9180329,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,654219a5-9457-4bd7-a016-26c5ac45a83d,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4097564d-4887-4aeb-868f-78b5a49b5939,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49397c55-db2a-4c65-86ab-d496c1080277,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f5eaab-a424-45b4-a433-f15bf0e39c4a,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90ebb85f-57b6-4e42-8602-6ed568dbacea,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,78003b8f-e73a-4e47-9446-688a2fa3f21e,"4/16/2021, 8:48:08.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,59643d59-d706-422b-b1c6-3549f672eee1,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e6e5ac09-9787-48ee-893d-d1d4f56ce406,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,01a0256b-fa3e-4c00-9232-a5b3045352d6,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3dd9517e-98c7-4aa9-ba77-5be3f15d0304,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,39719b07-7bff-4c24-8ffc-a4928ba6e265,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9ae438a-8b18-482d-ab68-71a5c4f8d708,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d783c69-f39b-485b-bde0-1577a56bf0bb,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dbce3eab-837e-45f1-adb6-fca351b1e822,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9edc1d4f-4c86-4167-b323-758d33da3150,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ef1e2ae3-01fa-4653-bf49-48968f664d7b,"4/16/2021, 8:48:08.057 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f349002-3f98-4636-8430-06ee2ee1452e,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,398753fa-edab-47ea-b1e2-450df99d6670,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67a7158b-d67b-40dc-aabc-3140291c5947,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4596ebb3-408c-45ad-964c-4ddf43e2cecd,"4/16/2021, 8:57:04.652 AM",,,,,,, +\ROOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7735c94-f692-4923-84d2-39413077bf7a,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,198653d8-b387-4f8f-a7a0-c39a99796c56,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f60ac48b-1bd7-44ea-b320-b0638cca861f,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c109f33-d9c4-4dd8-9176-f4bf1634e9a2,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3963c18e-9827-417e-a834-658bdbc8e22a,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a4288ac-1e17-4213-8a7f-c29cab17acbf,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c25e0b-263e-4e8d-8469-f7781fb197bb,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cdff5f1-b00d-4247-8dfd-f8701ea91ba0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f2b777a-c1ea-4b32-adbd-a19cc711e71f,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c8761cd-bb30-41f0-866f-1e71ef903288,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89e769cf-3498-4693-b7d0-89585de12fd7,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d32a82f5-226c-44cc-bd52-d11c0019e7a0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13abca8a-d193-4981-b90b-d1c8954207a0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c4b8152-5bec-48a7-abc7-f67b00aacbb6,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ad189a9-16a3-4443-ab81-6f03b519db69,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56976598-6404-4475-aadb-5ebaeb618a22,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a480126-0f05-43ef-8593-0a61fec03f49,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbbb2f5-7f44-46bb-b4ad-68bc3e88483b,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f3bcf2-e8f1-4eac-b386-7c6213e1b6e5,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,306dc408-1d1f-40d3-a7de-7cd64ac73299,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae41114-b5b0-4f14-8df1-42c7f4114dd0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbebcbbb-3d0f-4707-ac06-3ce081bb62aa,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cbdd6ce-76a1-4755-a9e8-caf4ad7c122b,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4bfcfe4-67a0-4ff2-800c-95214d71cae5,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39ff7e3d-90a6-46b7-a644-5fa18884bf92,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13aa4c7d-07ad-4245-9ee5-7fc79e3d9d2b,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc00c2c7-fb17-4f7f-8625-4d10ad2a2aa6,"4/16/2021, 8:40:52.509 AM",,,,,NTLM,, +\SUPPORT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a089d7e-441c-45ed-aca8-1d770edf1a14,"4/16/2021, 8:40:52.509 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,31c9b062-4bc6-4f07-89a7-d31f29fef912,"4/16/2021, 8:40:52.509 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1bf5a7d3-ba9e-4927-b70a-b9f172afc186,"4/16/2021, 8:40:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a9f39aa3-4966-41a3-b3a8-627c2f82886c,"4/16/2021, 8:40:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5420 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e67a8c1d-11e0-4c87-b367-bad25dcb9a0d,"4/16/2021, 8:40:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,576890cb-49ef-4616-9daf-87ef833ff2c5,"4/16/2021, 8:40:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,74cefede-8dca-45fe-b5b3-8f01691b06b8,"4/16/2021, 8:40:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8959f022-27f5-427f-a87a-5ea00e43c258,"4/16/2021, 8:40:52.739 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fea8e17-4cc1-4fdf-8ea1-9d6ad21e2c78,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6459b2a8-2632-40ef-992f-77ef802466af,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1b414d7-ebd6-4ec2-8093-f2c582e38545,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1ab90af-4adb-40a4-953f-4722fae61ea8,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66272a54-98ae-403b-8bee-1b130d697ec5,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352f2ee3-0005-4850-94c0-b0d0e4704b2d,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3841c673-f502-4eb9-8cb1-2520ccf0a276,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb02c52c-ad42-4204-affe-28f92e85d153,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5690a8fb-d8e1-44ed-93be-7ffa00a4b8af,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\CRESCENT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56522035-8c25-49f1-a3c8-394517c8c299,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,182bc085-b92f-477e-b5d1-972d75868f4c,"4/16/2021, 8:40:57.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01100244-919f-44a9-b89c-4034779e6bfb,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137c5788-9b60-4629-aa85-921e721b41e3,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47040401-09c3-408d-9b15-0ae8191c1ec2,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ba4bb62-e49d-4885-9f58-5fb9b1611551,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37c974f0-3daa-400e-8db9-224d4098374c,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17db49b9-0bcd-4c1b-be84-325edf089218,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61500459-e7bc-4d16-b13e-772f00baf6f1,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,905d952a-1307-4ad7-82af-f7325327c098,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b10b1a2-3357-4968-9128-e3dcac9633d1,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0185749-03df-4c23-a252-2030958bcb5f,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d7bee72-3e2b-489c-a8b6-ac8f3f504f26,"4/16/2021, 8:57:04.652 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7def9b7f-cab7-43f6-82c1-c559ddce0dfd,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13e46855-994f-4872-9995-b60ad015b8d3,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,febc323a-422c-4d77-8c06-5c267301cc11,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5deed450-8016-4542-b48b-aa261168baf6,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb6944b8-ef74-401b-93ac-09eea0c4fd50,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ce513f4e-bdf3-4e60-a7f8-69c2f4267310,"4/16/2021, 8:48:08.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4c0ef5e2-6476-4601-9e86-a11505100cbf,"4/16/2021, 8:48:08.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c44e8752-65d0-4888-8601-1f1b45ff3ec6,"4/16/2021, 8:48:08.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5020 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,537328e8-3b60-41d6-81b3-71a9faac1cc3,"4/16/2021, 8:48:08.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5e97da92-b69f-42a1-930b-b3c25ad18bb8,"4/16/2021, 8:48:08.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dc2eae24-7a4b-49cc-9dcc-6e4ddcad37d6,"4/16/2021, 8:48:08.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95db5483-7deb-4614-8b6b-873fe1c68b17,"4/16/2021, 8:48:08.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1f98930a-06d4-4eb0-b535-43e5b00a9fec,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b5f8f4d5-30fb-4edd-88e3-0c988b8d1f90,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,897d7c66-cda2-4da8-98bb-5b139d5aeed1,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4a2075d6-20c7-4ee0-97b1-d7f66e2deb92,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bf1c44a1-974b-40bc-bca3-2cd049c9396a,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2b6c34ea-d82c-4ea0-a3bf-7575f9ee9c4a,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1a1048e-d180-4197-b204-a7335ac0cfdb,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b4e0db46-b912-4bed-8f60-07c4dde74d78,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,526b2d2a-66bc-4928-902a-4686eb4d2d44,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f4177ad7-56a7-4405-95c1-d5d8ad0af370,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,74599a3a-ebe2-49e8-87ad-d724a61d93dd,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,79b96ffd-db4a-444b-99d1-219d12908a59,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8e2e7c72-a421-48e7-a8f2-f98ab4696779,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,005002ec-9b99-4ffb-bae0-aaa81adc879b,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c817a146-3347-46d1-a91e-8591ad9acf05,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,732bd88b-e996-4263-9190-7be9dc8577d1,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5e215859-0273-461c-8e92-40ecef5fa2fe,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,489b927e-6c87-496d-a174-a0ed524c5ac3,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cbb2c572-7034-4993-b9d7-4272441885ef,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e25b0fe8-4fc0-4647-aa36-0dfadfd966c6,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c4a501d-a0fe-4484-bae2-ea8e93b3529b,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6e507d5f-e959-49c4-9255-f02be9ed0c1e,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c1f7e004-7925-40bc-a012-e5673f6c6ac2,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d93a3fe1-c7f9-4473-8fb5-d667da96ef27,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1e755c4-deba-4ac2-a5f2-2608746f40b5,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aabf98e6-3e57-4daf-8a2b-4a7e3d96fb98,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0b3649a-b7b5-4bc3-b14f-d180249ff85d,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b68ed86-2ea0-424d-b84e-a80f65576fc0,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcc73a28-0379-4132-80d0-22da75a62a19,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47055872-9636-4438-8903-40cb7ba7123e,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e328bed6-e5ec-4cd3-8f13-ad882abf92ac,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d958168-bca0-42b6-9250-412f30163bf1,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82585ede-0b52-47f7-9849-83d8b84abcfb,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59201407-278c-4a14-9687-14ecd558d090,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21b88dde-9b59-4ff7-a924-76aaa50cd781,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d701c9f-a8cc-4d6a-a91e-549bd1799e5c,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9aff055-2a01-4737-9a18-ae1de6e06af3,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cb9757b-7713-4137-a6d4-375573bd803e,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39fa70b2-bd42-4bbf-ae63-bcd74690fdaf,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3d87ee9-d565-4ae1-a29d-10d953a0df25,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17d78669-f8f1-4482-a463-a8fdb92b5749,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b64b984-83d2-466d-ad5d-ea14b35966a5,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0a5774d-922e-4068-a154-4147df7ea873,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad8e3ca3-9152-41d5-844e-5dcc50b53501,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,119cf06b-f229-433a-a02a-ea77cb9b3ee6,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e492dcd-026b-45a7-9e8c-86823691dc05,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3f0bd84-42be-48dd-9302-7eb197aebf6c,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,448e10a2-25df-4411-9a24-32065cc223f1,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08c96612-9a82-4a4d-9c8f-d302c274d7da,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2aabb02b-526f-4521-9969-d05305667c2e,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf48d61-1b57-46e1-bd50-2eb418eb652f,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,052ed5db-118f-4344-b4e6-a988da7457bf,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b8a479c-b08c-40a0-aa68-a760b7c8f9a7,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8a8a58f-376f-4604-a149-ae36d5156713,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05f449a5-2feb-478c-a9d2-d248da964aab,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e2a3135-f076-4e11-a6a8-2ce571646617,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47de0e65-3ea5-42b4-8195-8c248a6654a0,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36a8a8ff-1278-4f35-9356-bd38a795fe45,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80df8ff-ff03-4c08-b17b-230906de0465,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea32d0ab-9e02-46b5-8e90-9cd59e5f93e4,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc509068-7be0-45bd-a7fb-71844c0234f5,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,518c73f3-2c2e-4d72-aaa9-c7b8a05c0e23,"4/16/2021, 8:48:12.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13e0b949-7ca4-4192-baec-55785294dec4,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e8807d-738c-46c8-914b-868e9ba95277,"4/16/2021, 8:48:12.109 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c73d071-53f1-4184-af17-697059eb42e5,"4/16/2021, 8:48:12.109 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b388c5c-8bf0-4a56-b02f-fbe964a36ebe,"4/16/2021, 8:48:12.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe8ff9ed-4ec1-45f2-abf3-15bcd5f87b52,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b673c026-626f-44d0-9bf6-54e64c2513c6,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,771eed9f-cbae-4a3c-bf63-80e8cac126e3,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4412 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a39a11a1-5518-45a0-9514-ff41231e0971,"4/16/2021, 8:48:12.109 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7528 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d626b5e5-eac6-449f-a82a-ef46a7fdbbb8,"4/16/2021, 8:48:12.109 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc0fc85f-45c9-4449-bfd0-4c2d7b8bf9d4,"4/16/2021, 8:48:13.408 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,637c05ff-4406-447f-842a-9a7b36950990,"4/16/2021, 8:48:13.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e6f93ce8-60b9-4d24-8374-de9fda902df8,"4/16/2021, 8:48:13.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0348c905-84d8-4768-ba8c-59ab2598c7dd,"4/16/2021, 8:48:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1339953c-97cc-4105-8f08-7b3f49f57e1e,"4/16/2021, 8:48:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ffe5ac89-0bd5-4a52-952d-91a960c06691,"4/16/2021, 8:48:13.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,44dec685-c052-4a27-a9e9-ec856b12de22,"4/16/2021, 8:57:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6092 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dc4e67a6-8224-40f5-8a84-1ee64fa71647,"4/16/2021, 8:57:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,47e85599-701a-48a7-92c3-29b7eae3684e,"4/16/2021, 8:57:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c307e4c-27a6-425f-8bc6-0518e7768181,"4/16/2021, 8:57:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8b3a4b56-5222-4169-abb5-e4c47a9a876c,"4/16/2021, 8:57:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6752 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d594f2b-b2d1-43c9-bf43-85ce4cf1b369,"4/16/2021, 8:57:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3fa144ed-1b0c-4183-904c-9e30d0ed267c,"4/16/2021, 8:57:09.862 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d369d5b-631e-4642-9aa1-71e3f0fd2c47,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16b6d31d-178b-4101-898d-23516f9d8d17,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58731e72-4246-4fb7-b1f9-73c77bd54dc2,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9a88bbf-09b2-48bc-a130-247d80e11c17,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26ed72d8-625b-4736-9322-497a264950f2,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d057dc1-0ef1-46c7-988a-cd53bca7c3f1,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b271b16b-87f5-4720-9424-ba50f2991e61,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,468593e4-0319-4046-b95a-c6a32726ac7c,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b4eed92-7e43-40f4-a262-a0de53680a9f,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1beaf85d-062c-489a-bb89-3f5fea30a816,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11e930a2-b386-446a-9bbf-cc3890066fef,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79c76eef-0e36-40e8-8e4f-7d11f43daf4a,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,512b1a77-edd9-4315-9a0e-9e5a0c82e3a9,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\RUSLAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d61f9b36-11c3-458d-b434-f3414997a7fd,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28efed55-0703-4b8b-bddb-14b4ea87c1ea,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6fe899e-a3bf-462b-a74b-bae1b2386e71,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58a5fc1-d67a-42d5-89b2-de6af588792c,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3fb19e7-2501-44b6-9ab2-f74faf9364de,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f629199-1888-48fd-a1fb-11e404dac903,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41ff1f42-7f7c-4f50-8d7d-a492f9a1773d,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37dff4fb-8199-4dae-b32e-b0388d480651,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a89802f1-a026-4c9c-b4b5-2fcf29af7ce9,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0e7b8d4-26ba-4ced-912a-da0eb4cbc0a3,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cd7e455-4006-48c7-b188-f8f2c080fb06,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,237e6098-d1cf-4bbd-8586-05ba2eadbfe7,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8b23fac-f45b-47a3-aeb1-4937370de231,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b59391c-9854-4511-be23-4ccac97597e5,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90e8416a-0fc0-47b7-af12-ba4d45a91604,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81a70046-e110-48ad-ae76-70f052776896,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d5093fb-b848-450b-8a4f-177ea0f8b173,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ea1747e-fc7b-4e21-847f-67dc1d3448a6,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3015f08-83e8-446d-b217-7bac55a7f11a,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,55704390-50b8-4b97-9066-02026c41b299,"4/16/2021, 9:05:23.120 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d413072d-b371-492e-b3c7-51a593bb4c55,"4/16/2021, 9:05:23.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d167fc05-6b68-42dd-995e-7298d06420a2,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf68bf7b-36b8-4eda-8060-21ca7bd4c1ca,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4756 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f45fc8e-a501-440a-bb78-3c7e0727c0f1,"4/16/2021, 9:05:23.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8952 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,02acf414-9db5-4422-a71a-c85bf508b10f,"4/16/2021, 9:05:23.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ca73af2-8ea4-4aa3-bf62-b29397699369,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ec1bcdd-aecd-4cc5-9213-75da28371354,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d728ecc2-cd12-43f1-b153-b1d97e3565be,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a43209d-d872-418f-a076-0708815bc6bb,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7407a70-db86-4d0f-9f71-15ab1c77253c,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318d7a4d-10c3-4213-95ad-da9131a6378e,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd306e6e-dcc5-4730-be14-9f5c3d5f6e01,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e25a890f-7f27-448a-9693-bf9bb381eae9,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9364 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5d44a485-a78e-4f12-86d1-c5562ebc1f5c,"4/16/2021, 8:53:49.264 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cd006efb-d83e-4bcd-81c3-6bb73d93d2eb,"4/16/2021, 8:53:49.264 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12032 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,911a5088-b8eb-4b2b-b57f-f2219e18454f,"4/16/2021, 8:53:49.264 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11924 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,55e31df0-d7c0-4d7f-ab3e-c2304d20dc02,"4/16/2021, 8:53:49.264 AM",,,,,,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e069e03-1b4a-45aa-95c4-d7cccfcd062b,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82eaf73-8efd-4a01-8c54-e796770f683a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd9b1fc0-dd92-4b8f-be66-ecaad1eef081,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,360034ad-7f71-459c-bc7f-3cb1efca4bd1,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83a8bc3-325c-4db4-987a-aae2553ab9f1,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d87fd997-6740-4d7a-9108-f5d675190e3b,"4/16/2021, 8:48:19.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693fb513-78c8-44bb-8228-4f9df752e8d9,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3784 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,37f9ce9b-0e05-42e0-adfd-885037f6e0cb,"4/16/2021, 8:48:19.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8902e091-0a98-4f51-85ac-0d8e117dd49a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bef4f5a9-7018-4e5c-baa9-b918987e350a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad9ffe9-3853-4ddd-beb8-7bb3b06c3d9a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d09abd-ece2-47ca-8a7e-5353badfd447,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fffbe1d4-3cd1-49b1-bfe1-8210eccceb4a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbe94c7c-db7b-4acf-818f-edd876a5f896,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daed8efa-21e9-444d-8ba6-084f83881b0e,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ed628a-5464-4db6-9f9f-54d539066c66,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1c0dace-147c-4c19-8f53-5a89ccc718c7,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c37b94f-080c-4029-a3db-0df372d3e408,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76d93f2c-0d59-471b-aabc-0abea9f32ff2,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d918229-dbe5-4ff5-8037-a36a2e13ab5f,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55caa39d-c0cd-4703-a062-8843d121ec62,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e013c0b-107d-49ad-8633-22c18d39a4d8,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e356a9d-c216-44ab-8a99-9795b3d47374,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e6fd1cf-9241-4377-a37f-1ee4f2e99cec,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27db87a0-6158-40f5-b170-f3d6463119a6,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d30154ba-5b92-4b4a-b52e-8c249f4e8cb2,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,518cbddb-74fb-4ec7-bfa6-149f027e15d2,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3428 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ffd9a02f-3a90-43ec-ab62-cf32fd3a0c29,"4/16/2021, 8:48:21.547 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,275c01af-088c-424f-955d-259aaa2db02f,"4/16/2021, 8:48:21.547 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a6dace26-14b1-45ad-88f5-10b7c5a11112,"4/16/2021, 8:48:21.547 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,09979620-6544-4907-81ed-53b2c137a07d,"4/16/2021, 8:48:21.547 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9fa817d1-06a8-4389-b69c-34f922687071,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9580 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebe48ab6-0001-4475-8802-d9ef02e8cd5a,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2764 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,34ac25a2-7fdd-437f-9f83-fa0e5ef7e5c7,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9000 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3915df37-f7e4-41e4-bb75-e4767cc7b50b,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5568 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,07e8c9a9-67fd-48df-b6d0-d25072c34683,"4/16/2021, 8:48:29.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1780 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,58ca33a5-f790-4cb6-ac4e-2fe27533e369,"4/16/2021, 8:48:29.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7c78122-0e01-4a53-b023-20b1e487a175,"4/16/2021, 8:48:29.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa387a58-2565-4266-a108-4db62ee785b0,"4/16/2021, 8:48:29.108 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,802a0a58-a1f8-45e1-98f2-57dee9135dd8,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8f5c3f0-2896-453f-89d2-a8d1ebdedfb0,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ff8e58e-b91a-4039-855c-5f4dbfad11d4,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0f07989-f49a-4cb6-a446-881d9efdae96,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4860435c-74a3-45db-b325-b40215526c83,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a440d888-86c7-49db-86fd-288cf4d7d2d9,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fea4a41c-9a1d-4f1e-991c-9b3824969231,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b7d93c-38c1-45c6-8c2c-26b418aa048b,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14b2a942-742e-46ec-bc5b-bf2377bf2a4f,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe5e9c4-ec4f-4520-8850-865df18305c5,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61502b3e-c7e1-4844-b590-13494d230bbc,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9333670-01f9-4702-a5f3-f5e431b82129,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b9e886-ed49-4d1f-9b40-88a3677a3831,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76776d91-44e2-4d98-881c-0ef45a6fadb4,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b956de4-8c17-487f-a2ad-309b9727a9f0,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b4ce8c8-85db-44d4-b147-31242a7bb93b,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96f6b354-d48a-415c-960f-7d78b18deb0d,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1bf8d1c-3df8-44cc-9437-87a9fad73b33,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69815bcd-7dde-42d9-bd3d-c16618feb731,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,715868c0-4a83-479c-adce-b8fb88f4c457,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33a8a21a-ab4f-45d4-9ae1-1d4e4a952d54,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f182720e-29c4-4552-b7d4-af1777c65646,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfd2e5c0-160e-4477-86a1-6cc3ac3d02e6,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d22200a-1448-488b-bff1-6131add3e799,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72d1500a-12ae-44d4-9dfe-bf82c3c1f952,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14c6daf-0833-48c5-908a-05f7a3254c98,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22cbf730-4ff5-42cd-b2b0-628daa24e612,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dd4ee94-cd32-4f3f-8f08-7c3f6f058661,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c761fc8c-7a0a-46a4-8588-946b7cf1342f,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee424a94-dd33-4e92-9777-981d2effed4d,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7b9aeb4-3efd-4579-88a5-092479e40999,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dc84009-63b7-4427-855d-10294c6baeb0,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e241c8b9-0759-4d2d-ac90-bff63c28737d,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0369d4f6-4141-4533-89ca-b35708783768,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15b33002-975a-45d7-acd3-a2190a17cd45,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b2af7a-e5f4-4d56-bc07-885e2e8bc23a,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44cb49fc-0a8d-4655-801c-fb848e6849be,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f95ea3d4-cc75-492e-8c62-044d663d8558,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c06646e-f727-479f-97ca-497dee512fc5,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7488e442-4d19-4081-b405-828b4083a05b,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc5b07eb-cf01-4e60-b2df-837a7fcef9bf,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48bf917c-63ff-4c4f-a9fc-22ad8fe32d33,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2db1628a-a81a-4530-b7a6-1f679eeff628,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e46949c-4de2-4272-96ad-288f07dcc6dd,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0426151-ea04-4415-ae5c-cdda6330df2a,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,983755d5-8887-415d-9ea1-fa0af73414bd,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac7e299e-4140-4c3b-9f3d-5229122824da,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5868ba8b-58e1-42de-8e42-d6dd4818a992,"4/16/2021, 8:57:17.733 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4036 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 356D1FC495BBA123EE99EEB2389FB641779AC8E789C2883AC16F26376B3D8081 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.18362.1379 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,61acf026-e4a5-497e-b763-003766ba7547,"4/16/2021, 8:57:17.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4c204e0f-2eee-49f8-86f8-a5c71b078620,"4/16/2021, 8:57:17.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6624 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a6d14b5f-39b1-487b-b050-47b60f3c27a4,"4/16/2021, 8:57:17.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,60a6d498-73ed-45a3-b810-842cd3b1d9dc,"4/16/2021, 8:53:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b9311c7a-f75b-4422-b067-dfa6d494884a,"4/16/2021, 8:53:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7060 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dab2a34d-90cf-4bfc-99d9-0ed5995ac679,"4/16/2021, 8:53:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3040 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e67cd458-0f6e-4484-a48d-43fa18d9ef1f,"4/16/2021, 8:53:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,eeec3ca5-8bfe-4905-bba7-b01ec95adc06,"4/16/2021, 8:53:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4b4a313e-d81d-4929-a01c-57c65e0f20db,"4/16/2021, 8:53:52.739 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,77058c31-975e-44bc-9b8a-29ed235e3237,"4/16/2021, 9:05:31.872 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c8ad90d5-cfc4-4243-bc76-8bfa76eec5eb,"4/16/2021, 9:05:31.872 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24184285 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6b6037b1-85f2-4514-b209-474d4ec851a7,"4/16/2021, 9:05:31.872 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c9d94bbc-8827-487e-9cc8-61d887c24a94,"4/16/2021, 9:05:31.872 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bc7567e3-90ff-4a6a-ae53-b580072f5207,"4/16/2021, 9:05:31.872 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,e1581970-e51f-49ea-a650-954a7b6ad3d5,"4/16/2021, 9:05:31.872 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b9ddeae-8733-48a6-b0be-eb660598e2fd,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06869ed2-29b1-4e0c-a5b1-f73fe7b05258,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb0a5c58-8709-495b-95e9-a8cdfd300b5d,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,1114c7a3-61d6-495c-bac4-174e61d7edc6,"4/16/2021, 8:48:36.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4e0d536-e36d-47b2-9a1f-4d701ab3c7cc,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b672b2-d82b-457f-b7f0-dc74b043c1b3,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba49ab1-3465-4624-a2e3-242fbfe2dbe9,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17c1a9a8-110f-4add-badf-82f0c458dc59,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe0aa3c-befa-448f-ad37-8e038cb88cc1,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e8c5d75-c673-4783-9b1b-0d168369173a,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02a1b50-7dac-4284-9b49-947253db3fc2,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT1320M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT240M</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fb1dc5b-84b7-4ee1-877c-a1505f57d250,"4/16/2021, 8:40:57.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,739f3dbf-f58d-4d6a-99a2-ae063a7f7d83,"4/16/2021, 8:40:57.142 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,7895e236-9b9a-48e7-a47f-4adfb55c1a90,"4/16/2021, 8:40:57.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e40bedbd-9fcb-40f4-892c-bb43002226b8,"4/16/2021, 8:40:57.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT22H</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT4H</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813697152 + 3760 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,bab30a1d-d422-435e-a918-69406ca782ae,"4/16/2021, 8:40:57.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8146aee7-a95b-4459-a7c5-594542dd205e,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT1320M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT240M</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,553e4ac3-5c78-4916-8c02-bd82e902e384,"4/16/2021, 8:40:57.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT22H</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT4H</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813697152 + 3760 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,bacff23a-c551-41da-94e3-0a884c2f1491,"4/16/2021, 8:40:57.142 AM",,,,,,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\AC Power Download + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\AC Power Download</URI> </RegistrationInfo> <Triggers> <WnfStateChangeTrigger> <Enabled>true</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01000000</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> <WakeToRun>true</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartDownload</Arguments> </Exec> </Actions> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4698,4698 - A scheduled task was created.,41502da5-21b7-48ec-81c9-baeea8d7d669,54361f73-7338-4895-a128-1abd54694845,"4/16/2021, 8:40:57.142 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,468e040b-e435-4eac-8327-56e0b03c3cbd,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac70a84-1c3c-491f-bfda-86bb04b5204e,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7260 + 24 + %SYSTEM32%\USOCLIENT.EXE + 32 + A314458338BF571D155F76D519341F55B387C6049EC07C7ABADD8F543D333A12 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCLIENT\10.0.17763.1007 + 0x3e7 + 33 + C:\windows\system32\usoclient.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,00d11525-a636-4159-a9e8-89aed4655b7e,"4/16/2021, 8:40:57.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3760 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2a7f7f-41f1-4101-ade1-b0c9fd667704,"4/16/2021, 8:40:57.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4db1d6-9f0c-4070-b526-efc9d6891a41,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae247e1f-5cc6-4870-ad99-9032b8974118,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\AC Power Download + + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4699,4699 - A scheduled task was deleted.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5cf9482-37e6-4536-8d11-9aa701264c18,"4/16/2021, 8:41:05.099 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f85684f-550b-4174-a266-0f730e288040,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65ee09b7-6946-45c8-b0c3-e9d42bb472a6,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afadcfc6-add3-46a4-96dd-b6857a83d335,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a26fa67-a614-4bc4-812b-fb07e4ca6e25,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5138233-d876-4020-90d7-1398ff4e5a19,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dd706cc-15ea-4b98-a0d2-e5e2a188dfa7,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37e5f988-fac0-495a-b603-fe670708aac1,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,463feb4c-e04f-443d-a18e-5b3dae032191,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfb60fb-2af6-4eaa-b5f8-b6f1c526f13a,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a51015cf-3ee1-448d-b90a-d9b2fce8a35e,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f326e6eb-856b-4124-ba2f-0f0a3328cb0e,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99bb2699-79dd-4f4e-a4d3-43599acfb25c,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29072b44-5372-48fc-8422-66ab51bae2a0,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5b25307-5c50-4b59-979a-b56225ef2438,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95652cb9-dd88-47c4-be8e-694a916df6a9,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a32f572c-9204-409e-8c78-0c888e13f627,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55f231ed-37ff-4647-88ac-60e7c38923df,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbed40e3-fc8c-47e8-b0b5-9a0c8b8e501a,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,142f7372-9867-47b0-8b61-af01707d6c96,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4884f37-a8a4-4047-8578-4b472d224c20,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c65b85a3-b277-44da-8e45-c927aa00c27f,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\WRADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09ed5fec-7e9f-415a-822a-dcea0709b54d,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77a31009-f188-4175-bea2-b2309efad19b,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6244447-f385-4a3a-848e-945db3710436,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a82622ba-a96c-4b32-80a2-ab07533a2546,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea4357c0-1388-494d-97fa-636758392512,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,259fe89b-abce-43be-8a0e-a4371c9b7c38,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abf49060-f57f-45df-a34d-6dd0f1064588,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a80eea95-f646-4463-bdd4-1b9932df3ad0,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67e7c046-6ccd-4536-b639-b3816ad5f33d,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16ea2e5a-18f6-4a7a-8fe4-5ef8cb864ab5,"4/16/2021, 8:41:08.598 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,514b3501-9e69-4317-b5bf-d2c087282fcb,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f0da5ab-02eb-471b-91f1-54bada9fd720,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57ac40c0-8abc-4d97-a6d6-93c7057e14cc,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cce78040-c20a-4070-9ff0-d7f785af5a61,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f53f1f4-9fae-458e-a220-17b6f820ccd1,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,591d29b3-dab6-4446-966f-2f7e8513f906,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1bb019-b475-4072-b300-67dafc4286b6,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f10f1bf9-85ad-401e-bb87-0ee29b380c09,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d78bd8-6db4-4c4a-a8f1-8c4bffb52f4b,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d50cfd00-9221-474c-aa6e-fe63a9eb5354,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,534ff8f0-0439-4db1-abc9-be4b5e8d534f,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4bd86d2-f20b-4fb1-8c25-6deee18a181b,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e000842-ed44-4f1f-b385-5e7fb24cb7c9,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54745ea2-cdd3-40dd-ae03-76d810211005,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc696a1f-bcd0-4379-bc17-4740c380ccc0,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10c4a6fc-e960-4241-97d9-048a823ea7b7,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27935c56-6242-4997-89b5-80a13fbf623e,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21d0f3f-f3f5-4c4b-9f75-5b567a32d5eb,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,026b06b5-271f-4162-86bf-9f4562e22580,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02338001-4b99-4234-bd28-6644e66622bb,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c4cc33c-402d-4a02-bd6e-0b05f0ea3289,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248a73e4-a700-4158-a975-76769d159432,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b7f0c0c-27d6-4785-94f0-c51808662ce5,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dd10e40-9560-4f2e-8b8d-548d09552ace,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac600869-87b5-4e45-904a-16633fb1ee19,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc10201-8473-4260-87ae-a28da15bc946,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca11c453-95d0-4ef9-b6bb-cb694acf1b55,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,addbb05f-d0c7-41c2-af45-30447c594197,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ec57a94-995c-4284-bd05-f217717900c4,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93effe31-a26e-4459-8054-f28b0a53c714,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50774b92-35c2-420b-879c-6841e3dd58a8,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f45a4ed-9464-4fdb-ae0c-12bcd482dccf,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a20c661-cef2-472f-84c6-66c2b1db1ba3,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0e711d3-4528-4ae2-a704-5299b374298a,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc44b5f-61a3-4760-af48-4a969b578d3a,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,395783ad-ac4e-4615-b498-4e973217c4a9,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3a4e844e-aef3-4a0e-8996-f85b1a9c6d35,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0526a359-0bc1-420e-9ad1-268d2bf89474,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4abbbf0-a1a4-488e-bfa1-64365eb42119,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b512019-39c8-49d3-98d9-09a93d144215,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9ed98a8-e544-45fe-8941-a2ed52d30399,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,003c4adc-a217-4a92-9494-70b90479b4af,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5117f6ae-f326-4589-b727-9733d023ed2b,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4fb1b23-129c-4b91-b065-f9bff7660111,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2536a7b5-d4ca-4c4d-a53d-943b4912eab6,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2a70fdaf-9887-446e-be82-793b43d44705,"4/16/2021, 8:41:16.044 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6292e194-ac5c-4860-82fd-602f749922a3,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa478250-9c37-4764-b5eb-495d37d335c1,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de537989-e9e5-4025-bb19-b9b1374c6f76,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66d206b7-f6bd-4d71-b8a1-f929419c2152,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54333639-31dc-4041-bc60-4d40e914ccac,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f07ab9-5c6c-40c9-9e2f-4cf4c9f1c335,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\OVX,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a129f9d8-4897-4ded-b25f-af11f1a30a93,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d72eb97-693c-4313-abc1-a0604f4f55f2,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad88a639-ecf0-4e60-b5b1-3d783aeb47d7,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ade7f1d-3002-4b66-9a76-d60664df3869,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,962d1570-2284-439d-b3f6-a88c7dd10b63,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2abcf471-99df-4023-9efe-75106968bc65,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ccb8f91-caf1-4be3-9fa4-4084f592e2f5,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0d638f2-68bf-45d7-8170-fc105eb894fc,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcd7b5dc-dafa-4afb-a5b7-3afd74351fa4,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14dbbaf-21b8-4866-ad17-c06d456a22c8,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e9641bb-c5a9-492c-957e-57546c3a6410,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29001c68-605a-4bf7-ae29-f181d61d4d94,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df3b6c88-f5b9-4b84-afe6-c47ef90f167b,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e26653e0-be44-4f4b-badf-917db074695f,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a1fe471-8809-4099-a5b5-0d805fa598fc,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bae502b8-d15c-4444-9704-98d555b7f3cf,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9543cf7-58ae-425c-a611-f08dcd658ba3,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50d796ba-3c9d-4915-8985-25c24b75ecb2,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f72495-f945-40eb-b4b1-871fbb27d3c6,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,630a2026-09ca-4c61-b600-93fe21331a98,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\OFICINA2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,965ae4db-5ffb-4db8-b8e9-5b73ff5d7a93,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1c6d36-0cfd-4fd5-9577-f219ba66dec4,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b4b7ce8-69b9-4082-947d-471b30dd3998,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,414b5e06-00f5-43d9-b060-3a8ceaf71475,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dbbf125-a711-4a24-860c-4a7ed1d636f6,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,454e275c-9550-43ba-b33b-0c681d6c2e28,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c13ff1a-bd68-4f01-907b-40613ba4015b,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7beb90e0-2a89-4d0e-a3d2-93980fee9f6c,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e6110c3a-7aae-4699-9295-83ef2115aeb3,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ce35abad-2c17-4507-967d-3c79172b7cb1,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,034c959f-916b-42f6-ac90-7afebe508417,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a69c8074-01ba-4829-a20b-80bd025d0eed,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ab8cf077-f1a0-4e5a-b9a0-737e357d03f8,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f72e8fd-8bd6-4f77-b5d8-1874ac741fe0,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,737a6061-9d01-4821-9ca5-cadfa959ed7d,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,67d1fa40-0fef-472d-ab4f-554d7f3f7e76,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,15de7b0d-7bed-44a1-a346-65e940ba9b1c,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5e4acc9c-1c4a-4ba2-a03b-90ddeac1268f,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dfb999bc-86e4-486e-8c2d-c90aba76646e,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9d9e6014-a823-4766-bf5c-6cef2bacc8ab,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,574a6f91-47db-46ca-b177-5eaecb9c31f0,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5ff1caf4-d776-4940-99b0-a455b649cd18,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8d678d16-ce98-4308-8122-49f6b925aaa2,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e760ca01-aeaf-4ed2-8f1e-6c43fb4f42c1,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,806a24ab-3fa0-4624-9312-4e70dc405e50,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1c86db38-eda7-4adf-99fe-a62422bb3083,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0a8f4903-1960-4fd3-95bf-09419646c335,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,283ffd6b-da5e-4d17-b023-21a35df4500b,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2d094a58-cdf2-4fad-bdae-3e328fadcff3,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c368792e-882c-4c36-8e26-f2327cd33c9e,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5ea807e5-c6e3-4fec-9249-e013e570af7e,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8de056ce-946d-4310-8de7-5106e8e84cc1,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6f7427d4-29ff-461b-acb6-1f07f07b4fdc,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4f2e4ea2-f481-49a8-ab43-bd0451223b94,"4/16/2021, 8:48:32.872 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7d49a807-81c3-44c2-9231-c16755dcd126,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8b2c4855-5be4-430a-8777-306b4deae3c1,"4/16/2021, 8:48:32.872 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fdf8947f-ff5b-4b12-9672-62ad69452160,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11312 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1b59b50e-3159-4134-abf6-41516da75a54,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8632 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d6e9b5dd-4e40-4586-9679-0e7e0b078eb3,"4/16/2021, 8:48:32.872 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e6beb2d6-6f50-45ae-9253-84ca3f966278,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10624 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dc5afe5f-1b90-4e22-b530-255dced2ba96,"4/16/2021, 8:48:32.872 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,97f10c12-8c8e-4fbd-9a66-b2cb1c842ea2,"4/16/2021, 8:48:32.872 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d30efcaf-d191-42de-8530-53e4725b9e75,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3741abb-f818-494f-8ef1-733790a8c92e,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdcea8d3-0017-41e6-b407-810187302320,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfb42d64-3fa1-41e6-83ce-ebc2de9f76d3,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c98c840-1774-4e89-a881-80f9ffb550fc,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948538d0-90da-47ac-a5b9-997579d2ac6a,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42328b2c-1058-467d-84d9-33536d873210,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,318f4ead-80ab-46c2-9710-29c47b3b9c37,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba8f1ef0-1cde-478c-9ed1-c92a87f66a7e,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd8222bd-3cc3-4989-b493-17c646e26421,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afae9770-d377-4320-a67b-edc0bbd35109,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd38e60-77f8-4e1e-9730-b3b52bc2083e,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af3f2c65-d398-4724-8d51-9548858d2789,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e63f6cf-2765-488a-9345-78d7e8ec3e2b,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b3909b7-50ba-4716-8422-e4ee4234ffc1,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dcd8fe2-d970-42b3-810a-e88c2285b459,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db807c71-2d46-4a46-a579-cd96aa36af01,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6689f40b-cf1c-4ead-9d40-8effc4336a3d,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9c9c7d-9af1-4e16-a49e-51cad5e7f75f,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9fc728f-a3c2-4b43-8042-4540805bb479,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb0cc510-59d9-48e4-b076-c2c47885b68a,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d698a53-26da-4211-b93c-61fea963194a,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,851327fd-573d-4636-8383-9fbabd338408,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aecc058a-5ef5-422e-b499-21bd7a764c2d,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6db3e232-0319-4154-bb27-4dcf2eae1662,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b608fbe4-ca16-4221-bf7e-27c77f9db7bd,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92bed456-773f-4396-97d9-f4d9046a56d4,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de0ce874-478b-4101-8c8b-007573ece079,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe39341-6d80-4c6e-8b1f-41d8854d3e41,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,620a4ffb-dcb5-4e9a-8e63-3088df16538e,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae44de8f-9166-48ce-92b8-7bd6a15da3c4,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a3bfc51-f165-45c4-afec-a9118115c3f2,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce924529-fed0-47ef-bae0-0d6301057707,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f3448ac-5e85-4e24-84c2-bc101ebc09a2,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,350ec951-66cc-4ddf-9199-31f53a965811,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad2059f-f744-47b2-a4fb-5f740a69c03f,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c051c98-292c-4198-ae05-e5676ccdffa0,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80934e6-4e24-43de-b49e-12ddbb6029be,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760e16e7-1e4c-4dfb-b767-fc69b25b81ea,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02fb4cc6-3d01-4342-8144-ae11135b41da,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef3fcd8-186f-4cb0-97eb-2abe6c7741a7,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15d0259b-9230-4084-9c56-e6c429c62a14,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae7e19ff-35ae-429f-844c-87a9acd48a15,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bd0d88b-546d-446e-bfa1-3d0855f4fa75,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bda96c3d-8a8a-4a70-a2cf-4bf6b4cc7e38,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d349a3-522b-402c-b1af-5931e985de0a,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,447263d2-5d64-47ea-90f9-6c09928f09d1,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e9867ea0-ded2-47cb-bc84-dbf41c16269a,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8460f623-18ac-42da-bb9c-6d4f9919519b,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,607ccb37-f30b-495d-aaad-030f068365c6,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,61d0132b-f6d4-45c2-af5b-3fdcba633523,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b0c715b6-8ac0-4eac-b14b-c1ea42f0644c,"4/16/2021, 8:48:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d648149c-5803-4f5a-941c-a9163850403c,"4/16/2021, 8:48:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3550a0ac-a272-4818-8437-7b31a43ce2b8,"4/16/2021, 8:48:43.048 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63a71906-128a-4d98-8a52-b7d2289506d1,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f00765a-c80a-4d61-af98-ba56d06b5a0d,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d38a241-0539-437a-a0b9-95f9e5c3f248,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5ac98d0-2b50-47a0-96b3-349aeaa2d3c0,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3877603f-890a-454e-9c30-0a66a5be6668,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad57d881-7547-44fb-a30a-073f34a9dd26,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73db1235-d4fd-4126-9ce1-f1700656bde4,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e016c4e9-fd8a-4b5a-947d-d5246e64be6c,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98985912-bd41-4c7a-b16d-ad8481d39aa3,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88d36ed3-214b-443d-8a3d-5ac75598b415,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89fd2466-fa71-4d97-8427-5a93fd6a1069,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df368b4-2342-4474-8d96-21574145bab3,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b9affa7-b6dc-404d-a711-ff7a013f11b1,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6cbb3ce-8a76-425c-8931-c12c67bce2bf,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37fb9f90-7765-42c9-ac7a-d19c09d8f5bf,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78fdfa30-0fef-40d1-aa3c-8711c5e2f335,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c51ad45-90e6-48a8-8bf1-736822a348e5,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f88ec3e9-ac77-42e9-8dc8-72d405c3abae,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b13bb987-ee90-4757-bc50-4998d3a0ad61,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,284710f6-78f5-4528-9bae-67fdcaccbe9d,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2741048d-12fc-4271-bda0-a3217d516ef3,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30187b12-ff74-486b-b421-f4f7f018b7df,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19c62319-2aa9-4e79-bb2c-e3d69a7bbf5c,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c05551d-74bb-4d40-a538-6888764c052c,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7c4bfe0-d386-4805-a8a9-846d91c3e063,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeaf0dfa-8083-41ac-8dc9-c87b742d0f7a,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41657b98-d1b7-4266-bb20-9b806a0e0821,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9663836f-910f-4112-8109-30d482329e5b,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f87961a5-83f8-4cdb-b99b-7b1eb28200ba,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbee9ad7-edb2-4499-9430-9893cf89b862,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47ef5057-3178-42a0-848d-74cd2b44d417,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1da0acf9-a545-43a0-8aa3-42a73f207085,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3a9817-50f4-48cf-bda2-e4242d42474e,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e27d1c59-8073-4586-b07d-bc3268187339,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82d51bf2-eeb5-4aad-b216-2c88a62d8420,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,298b3354-39e8-4ac1-9d5e-1d69bca64a1d,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ee931b-3392-40b1-8919-c4ba4abd3d58,"4/16/2021, 8:57:23.111 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0835e892-091d-432b-b7e6-f3585fd976d9,"4/16/2021, 8:57:23.111 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8424 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cb7ac79-d706-4302-a630-a3341e24b8b0,"4/16/2021, 8:57:23.111 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5564 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,faca501e-c52b-4dbf-9502-809b07436589,"4/16/2021, 8:57:23.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9da94b-c592-455f-a415-e7d8c8271acf,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deec490d-7bd0-40a5-ae7a-4af00f4aac56,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bd2020f-94cb-4a54-b8e9-b32070e013dd,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d47eb9d-eaa7-43aa-b292-5c829511678b,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad4ba2b5-13d1-41b7-b3e9-cd9c79966201,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de0828f-6c49-4ce7-bedc-519ce703a2aa,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419d76ec-19a8-4e7c-9825-17be99b1764b,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02748b3b-a632-474c-b92f-ddf80fca41c6,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e88726-2fb1-47b2-9acc-01e3e7a2d965,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5920 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,866fd08e-d2b3-46f6-a3cc-75f69147fc11,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8128 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0e647a8a-0281-48ad-9d66-0471c4c5353e,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5716 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,812df333-d8d3-4b69-a517-2d6ff3e0999e,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5990f3f9-9b10-4b3b-b16a-5845397894a0,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13084 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fbd913fa-e17a-4861-ae34-494c213f8afa,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,95b3e1a5-3dfc-4707-a6c5-883d6335b287,"4/16/2021, 8:48:49.331 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,261e89be-b9de-4d5d-9c06-cb1b483ec491,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1f09a5f-ff40-4865-b489-e77a4712e89e,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3684 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-14_172937\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e53245f7-334e-4fb3-adea-25b5090ad7ea,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6788 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ea0f2a74-ed56-41c5-b9a7-96d5fd655a5c,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6236 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-14_172937\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,61e7ec12-b7db-4964-af31-bedeb27e9dee,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4212 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,948831f2-8864-4c6b-a138-cffa6f4cec8e,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2a4cd791-7bd0-4b45-8eb2-89a527a3f192,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d4bdc13-8cfb-4af7-a046-9c308349b920,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7124 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\Windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8d7f367e-a3a4-44b3-965d-0d7d15d6ad07,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6060 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,239692df-b381-4895-922d-f64e2447b513,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,27b7c9f4-b2db-4b3b-937e-357fc069e00c,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a544f68b-b072-4e13-9efd-3d0463eccbf5,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3844 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a570b75c-5dfb-4f72-94b6-c4e0ae6f75d3,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5124 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6c63c3fa-3bf2-4702-8d46-e6b813fc4d0d,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,20fc8bd9-ddcc-4517-ac64-7c1daaa91301,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3992d4d8-051a-405a-91f8-266fe9182ec2,"4/16/2021, 8:53:54.868 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4080f07f-f459-4e60-a8d6-cb659a655397,"4/16/2021, 8:53:54.868 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a695b83b-0830-4078-a0b4-24480033ff41,"4/16/2021, 8:48:48.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,87021c0e-565d-493b-a7e5-2bbef2b0e5a8,"4/16/2021, 8:48:48.409 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1606c18-c967-4e50-bd1a-74e3e8f5676e,"4/16/2021, 8:48:48.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,036f5719-e75b-44e7-bd52-8a2d7814d391,"4/16/2021, 8:48:48.409 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30252b5c-9787-4db2-a4dd-3bf72d2a0b4a,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,def01fbd-0a15-4ada-b0f5-0f8fc2cc81aa,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7f524c8-2192-4248-ab1b-d88611e4ab9e,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6285ae-e6ea-4e47-bf4b-261d67f48f44,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3d9d8f0-5819-4750-8ce8-bea9e247f1e1,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2f9ed40-167b-451a-9cf9-a99c73a1321a,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,947355ad-8904-4610-8bcf-5960451716e2,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d87fb4ee-0a04-4167-8225-343c687f699f,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbe8312-bb5a-4166-88fe-7a3865b5ea69,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ef7c086-0e8d-44da-9ef6-f7e5d03446e2,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66e3b11-a1c1-4da0-b25e-867af46a0e80,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53cd9dd2-27db-4284-8662-4d2e25b077f2,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,49ffa6e2-8e1e-47ea-9b23-c9af79bc2805,"4/16/2021, 9:05:34.143 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67968d32-8c60-430f-83a4-265d97cd538f,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e6eb4f-cc23-4be6-a3bf-e7bb8abeabab,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ad7f97-93ba-4396-9d80-6f425b166483,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c92c0c31-072e-4beb-8973-a92b39dda788,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af4c89e-f014-4d20-b43d-912a46855445,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e87c97f-9023-42b9-85a2-da822e222fb8,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58350711-d41e-4f17-a64c-5798c2fc9bf7,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d5db663-3183-4d3d-ba48-b0db35cdcbac,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a674133-2a34-48db-8dc4-b911e5e77c88,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,724c8dc5-ecfb-4050-aff0-92cc6256d9ec,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\CRESCENT SPRINGS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7467b0e8-f1c9-454e-bbf1-61a168bb264a,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d2ea365-1da9-4096-9d3b-9828f878d545,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5624 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a1287787-c408-4b6b-8245-9faafda68b7b,"4/16/2021, 8:48:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5900 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0d52dc0b-2659-44e5-a7a3-bc8b7b624392,"4/16/2021, 8:48:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,02835ecd-7803-4e82-bbf6-ce12ea987657,"4/16/2021, 8:48:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f5c309e9-cb9b-4571-8777-495d49f55d9f,"4/16/2021, 8:48:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ee6422a4-934d-453d-b051-9ace2b337f9b,"4/16/2021, 8:48:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,de47771a-1009-4061-b5e8-f54e06ece2d3,"4/16/2021, 8:48:52.738 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3dd65a2-63ea-403f-a1bf-f1a1e71fa674,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a5422b8-d48c-4527-96b8-dc94cc08824b,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14c547b2-82f5-4001-b9b6-7e428a7135ff,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56f46aec-b017-4e33-be20-a368adc67b14,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e89f5b6-2424-4765-bf22-00f987a696ab,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,386e2052-497b-42f5-b3db-ad8ed8f71ec1,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,147e2a3c-34ed-43c0-aaa0-29464adb7d8f,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afa54bf1-f3b0-4e2f-a583-c41a0beed575,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9728a517-4977-4a33-81b6-0598aa96ad7f,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87d45a23-cbfa-44f2-b85a-01fd5a0faaf0,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5dfa1c1-9b4a-4270-985a-a82a73086e4c,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d189a995-dc9f-4dd2-9ffd-a616d5773ed8,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32cf1fb4-7831-45e9-9456-3a3ea2b21975,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d4eeb5f-aa41-4b42-9f18-2a0c790d7680,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad1d35e9-7737-4ec8-8381-20fafd0d58db,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e81cc8c6-ae9a-428e-9493-2477b466b22c,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8005c3ad-7f0b-4a03-a3f3-ad10ea08d77d,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed650c1c-22e9-4863-b7d4-1193b709298a,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3465b529-57dc-417b-82ec-f82984253427,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c46066df-e732-42e8-8c2f-d7a3fdb61357,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c07b648-ef34-44ec-9b93-56eef63beca9,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d837c59-b6f0-45f4-a805-6f2e76c12298,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec3e00a-44f9-4ccf-878f-6bd198080fa2,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1c3177-2928-4931-97c6-84f8469f2c48,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,894e17e3-35fd-4a4c-9218-416ffbdcc958,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16fca4c9-77bc-4a18-90e4-f1996d8a57c9,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4765f1e9-74b0-4d37-8d3e-f8956424a5d7,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73cbbc7e-54ee-4488-a175-104978c282cd,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1f8daab-d0ec-49ef-a4a1-3b5c5d451abb,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0c03503-77bb-49ec-ba77-669d7cf2bd0a,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9527ee4b-7fe3-4728-9f2c-6d7a1a73e27d,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ac2f22-8e6a-449c-b454-4b372ae9b0b2,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ac9a3c8-2660-4bfa-82e5-43ce4af56639,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25ed30cc-f7a3-4f5e-8da8-2db28a0b7344,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93fb73ab-0e81-4d47-a0e3-99eb6a7d2567,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e94f5e7-4eb2-4a0e-a5de-c4a552b607d2,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b21db0-4388-48ad-b8b1-caef7a196724,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34b02cb-6cf3-456b-96ca-76e5f2dcf302,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1ba2df6-458e-408f-9ea8-3822b49dbcf3,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15789caf-5110-426c-ae17-03e9d8e89248,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cdcad2c-075e-4452-b8d1-dc4f52f93676,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51e21060-a123-4b11-85d4-90788186be82,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dadd415-4eb8-4529-8375-d536a1f4b81a,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ab897db-1e73-4f87-9dd2-3bf727f1d576,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3236f30-7587-4783-807d-36eb309d9460,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a971ac30-c1fd-4ca1-91a3-1f1a52b078ea,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80eeefce-b08e-474b-bce7-38f41a648033,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc32521c-048e-4f7e-8208-9ee309afd211,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba271561-7a4e-458b-9f34-ba23637f296f,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad4867a-56b8-4def-b1a0-e72629e87840,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc346ecc-6795-4f15-99bc-60276b6ef9f5,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9ce3dc-11e7-4630-acdc-1ab493cd1cf2,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46f9785a-e981-4523-993c-441571551d5d,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca726973-e5a9-4b0c-8ce4-c7fa5a26815f,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee8dad45-5346-450b-b17f-bdb35a04595c,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3ae6b9d-704b-4517-8df1-384a2e7a6fdf,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d277ce03-63a8-4039-90a3-6e6fc9bc33e9,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7657cd91-e803-4a16-af4e-3e1ec6495313,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f07f2f07-4627-4c2b-bdf9-29618c8b8c80,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd2b9834-3843-425e-a07d-c5d97504ef89,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a30b912f-8d9e-4552-9a1f-03f392c9c164,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa140981-b600-45a0-834a-692d90d85789,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25bb2fa2-48f3-4e53-aadb-fd0266e7c26a,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,652cc3f8-63a9-46ae-a440-3c5cb6ef36a9,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13e42895-f9fd-441a-93be-b0a3432ba651,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddff00c7-3b7d-4688-ac6a-c7bc8ed85fb3,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2844cce-4748-4d99-999b-c575a277c1a2,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0493035-a3be-43a3-98ce-b786f11d09b6,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5af1107b-190b-46cc-b96a-fa3f2bff1186,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51a1c26-a876-45c9-94f4-3a560a57ae85,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85b13578-675b-4beb-87c7-d1d0ed32e4c6,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48fda027-d68f-4daa-bb55-e9c2e0802089,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c51ec116-1076-4da3-b5df-0df8b3e2c4be,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15284 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4b44e1b3-cb72-4bc6-a176-327084a2dffc,"4/16/2021, 8:53:57.089 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4516 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,bbe2a532-a0bb-4850-b3ea-f06c1849ec2d,"4/16/2021, 8:53:57.089 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f834aa9a-1406-4f17-af94-32e163bf9a43,"4/16/2021, 8:48:56.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13520 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ccec598d-292f-40de-a8fd-9967e2da21ad,"4/16/2021, 8:48:56.991 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cfc6667-ec1e-449a-bc32-368e7e8ee091,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,637701aa-e5f8-4caf-8d6a-f924b9e2a36a,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0664d5b-bf9a-49b6-af73-4abd76fc8749,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7432d9c5-6de7-4766-97f1-d50352fbd138,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3e17da3-273f-4318-9f58-741e5d5de45b,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd4d7c29-a331-495a-87dc-9e783b98cc84,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,596fa81f-453d-4aea-9e27-366b70585cc7,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93bd3056-b97a-4e2c-bd7f-c6949537c418,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83f5c558-b0a9-4497-830b-8b4bb3f3b0ec,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4793e1a7-42e0-4cd9-98f1-cac46b2efa7c,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52bb03e-0fdb-497b-9dcb-4e85c6ce0cd3,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7128f43b-c29e-4abc-a00e-74f5add63582,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,138c69c4-5413-443c-8523-3a0f0d320cd5,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d507353-fb56-494a-906a-aba51afde140,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3276011-03fa-453d-8416-b4802e2331e9,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca4ce9b1-d911-45aa-84b9-89cca4c6bb83,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b7246bb-f089-43a1-a10b-e55f7eafa0da,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5f047dd-d13c-4079-a2b2-a3a8f0d76fc4,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba886fa7-459d-43e6-84f6-8ca277440a36,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c936a6-46ba-47a6-84f0-76f822b0c4be,"4/16/2021, 8:49:03.167 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e48298b-1171-4806-bff4-12068587dd74,"4/16/2021, 8:49:03.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c9e2827-58ef-4b73-ad17-9e30ee371160,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8b96f9-b7df-4cef-8e74-cd7467198bb5,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28d4ffa-4ea1-46e0-9685-7c3ee151b93d,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6240 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9d27b646-8034-4dd5-8e6f-902b692c7ccb,"4/16/2021, 8:49:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,df72de34-a5c8-45b6-9935-c1a331818e95,"4/16/2021, 8:49:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c6d11011-fd76-40d3-898a-835794226f67,"4/16/2021, 8:49:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,85a57734-ba90-4fd3-8577-769e171f7a63,"4/16/2021, 8:49:09.870 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dd4f54e3-4f79-42d8-afc0-ef66de15dec3,"4/16/2021, 8:49:09.870 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ec4a0c6-88ce-4001-99bc-a5478767ea7b,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d819dcb-c792-4b13-958d-b5023f7aeb33,"4/16/2021, 8:49:09.628 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bb8de7b-ed4b-43f0-bd1a-b8d6a462b82e,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099f2428-3b7a-43a9-a342-991ce357dba9,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77777be9-ad1a-49e6-a650-5616dc63749c,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30e602cf-7b84-4546-a4cc-655da66d6da9,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d6b5404-f843-4c9e-ad46-bd90d4a80d3a,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,928f03c6-219d-414d-bd1b-8f4d038dfbe3,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a89c9bb-0442-4544-b23d-28c86f51e700,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99d29671-5464-4d2a-b64f-fb565eea35e6,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25a16337-5daa-47a5-bbbe-69d62d230604,"4/16/2021, 8:49:09.628 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4c08591-5c85-4ff3-977c-a76cf23abbc7,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fcec099-b377-4af1-9a3f-5327defec953,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acda4f7-6958-4ffc-8a2c-cba1ffa315cc,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50b4bd55-d9e0-4fe2-9752-121cedc70b1e,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc96e4e8-e077-45a3-a86a-e40866f3fb24,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ba74eb6-f65e-4773-b922-ac2bcb410e51,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c7b108c-ef29-4e41-b365-98fbffefcd98,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33b3aeaa-ddd0-4dd3-88d4-58a4e7a23701,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,caab8334-d6b0-4886-9c32-eeafd2560498,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7c357e5-2c20-496a-85a8-900ac1b6ceb6,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b31a336-9958-4c11-acc7-a8acc3ebec92,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8052 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,74760c08-cdc6-468f-a71a-8d8ba5a4a255,"4/16/2021, 8:49:12.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1264 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dab7c94-a6f8-4dd9-b34d-816d32931359,"4/16/2021, 8:49:12.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8f1b81-4105-4cd0-9384-557a2293948b,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c30bce45-b7bd-4058-a8a9-992f77f77ccf,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a393caf4-a922-4f20-8259-61c1bce07b4f,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50858704-35d4-46e7-869f-7517ba265afa,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcfd81d4-fd86-4c45-a89a-2acd6919e274,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457820f5-d662-4f26-b904-6692e09cf8cf,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c0611a5-30f0-4a26-988e-393c9339d71a,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7ab05f5-8771-4762-a90a-d4fc31337b81,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a5f5377-0174-4bb9-ac84-3c2cde8733df,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d01e2e7-10e8-4055-bad5-301fe040f0b7,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05738e09-4320-44b4-9451-defc4c7c1e59,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ae4d24c-9b55-4688-b34b-c6430265dbb5,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e5d1e90-3760-4db2-8754-a7056cf98056,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d27a6704-30eb-4d67-bd35-9790054bb46e,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4794f242-a364-493e-98a8-2eadd1e08f99,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa2b717-916b-4b85-9e61-60035af54ead,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4307d5d9-95bc-458c-aa69-8ad8b2fffc7c,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fd8bf9b-cfdf-442b-9756-b5b8c596ddfc,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e41331-c032-4113-9137-a10eba2f0982,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b1d0317-2d9c-4f5a-bd60-0c5f549ab83f,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2470e5ca-531f-4ac0-8841-fdb8460deb63,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f4adc4f-40d0-4d40-9a9e-5c8dfd46fce3,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,986f2f6f-f96c-466f-9a3e-4bf77ffcfbae,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a2635fd-e267-473a-8e09-a453b1aee679,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b021edf-0335-4b75-bb69-909b8d3963c5,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c5c8d2e-49dc-44aa-b3e3-e919a72dc772,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fea042cb-e4be-4586-8563-f09ee9a902e9,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fc2a70b-79ec-43ef-b282-d48bb9c65d45,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,124ceaa0-fc88-4e65-a761-e2f0c417010d,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9866480f-62dd-44ca-bae4-f8cd71e767a9,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a88bc45b-e57f-4f88-b50b-99be3d6cd727,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,325338d7-48a6-4063-956f-14d806aa357f,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0a3a76c-a1ad-4a6b-9a04-6c3cb3ae1161,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1c292c9-e367-4dfe-8592-57a479fd5a50,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8cec10a-bb60-4cac-9e87-aebd534469c4,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1b703ca-ffee-4a0c-a08f-09cc47bbd411,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,decd587e-89fe-4463-8f6b-aca993048ee6,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e6ae802-c828-465d-972f-52e8c7c264a4,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,127ef862-9f30-42fa-9f9c-db0237bea3e7,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\HJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6835c0e6-7246-418f-825c-7716affc832e,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4c84401-3374-41dc-a5ec-56c64877abbf,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e31f06f7-119e-492d-a1ce-1ce7b52568db,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efbb770e-0924-4850-8fa0-0f48c47e2a4d,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08e0cfac-6e28-4862-a3a9-962786f7635f,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7294ca3c-7e5f-45eb-82c5-d837e4d1720b,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8c82828-16dc-42a5-9199-f771732896a7,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2843dca0-94fb-48f5-abf0-59d01a9534e9,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5f30c080-b691-4f06-aff1-007359dd4e9d,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bdae6fb5-a97c-4501-ad19-c6de583ca6aa,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9697334c-c611-4471-a2d5-f2f385a20c48,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7bb67878-3838-432a-b728-569ae6f18da7,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4a64ee98-cd45-4204-90e7-65df8600372a,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86ec936b-845e-4004-bfb0-ce71c5f7acfb,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7f497c8-a4f0-4f1e-80eb-f49d285dd540,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d2566bc-b5f2-4062-a69e-1625b946891a,"4/16/2021, 8:49:16.047 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3145853-59ad-4626-a671-bedcd6cc9236,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59f9d4ce-a0ac-4948-884d-3e1a1a99a99d,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b86f3fc-196b-4455-b90e-115983e327b4,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31335a97-182a-494c-8605-8fc7072f12b1,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,650a6f5b-a213-4ff6-a467-96990478c04a,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1487d00-ec8c-4743-9cde-27f070947478,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d70b8e1-9ef8-4ce2-a007-09becef9e447,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4e66315-2355-486a-9ba4-61a596afd771,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48356d52-f451-430b-8fef-5e9ae9bc5cbc,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,472cf196-fc64-4cd7-a677-1ceafb49b02d,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0271d2-4a98-4407-9ecf-27d72f299a08,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5a81a98-029f-4014-b451-bdc219011dca,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1387035c-eb7b-439c-8efa-664eaeb294e4,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b8eab86-84a1-4173-868b-ddcc7b58c0e9,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e73b516-001c-435e-8bd7-61bbcec1fb8c,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c16df77-9018-4325-bb6a-c6e8d38e2c0c,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7553e54d-c7be-4ac5-85a7-f84d27332a95,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b5d6df7-cd4e-4368-937e-e7b43adf5461,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f75807-af2b-49f7-a933-d1ebc1dfcd16,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ORDERS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d39310-7f32-4be6-8fdb-bd24b5ae6020,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d0ac90-87e1-442b-8a19-13e0e5cfec40,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d28be53-5673-4198-a988-ed5627f11b2d,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80ff1942-6357-4506-bc12-79f8eea718d1,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fde8d407-a587-4e1d-a634-e3741a1afdd3,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a31c9db-fb19-44e8-81fc-f7d78899426c,"4/16/2021, 8:49:20.140 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,43ec9a13-b190-43aa-96f9-b00cded9dff4,"4/16/2021, 8:49:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8191434-f36a-4b86-9a99-ba60022cc64c,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4116 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,34801bc6-19b5-4c66-a8b1-d1341f8b243b,"4/16/2021, 8:49:20.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4632 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,debf3dcb-fe8b-4460-a6bc-f21abff3cde1,"4/16/2021, 8:49:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0488d1e-e7be-477c-8ac2-d00d5617a82e,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a2a857c-ae38-4921-84aa-01cef6e1f983,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae51ac9-3463-4047-957c-8a79bb3f9284,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d513c45e-6fe1-4f02-b5b4-011ccbc9149b,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a894fb-4693-43cd-be3d-c14b6c76c5e8,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9079b918-df86-4687-8d0a-a7fe01725fb3,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8436b02-1dc0-4c59-aa2c-0519a2542020,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eea2307d-6a8c-4481-9866-e00e2e08b4e3,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6db737f7-c1a0-40bc-9b7a-57d08fa85501,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0178b5a-5c0f-4dfc-a34c-b796b1543bb1,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba8ce63-4771-4eb5-9700-fcf3dcb3bde8,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec20d1a8-0644-413a-b0f3-132d5b4f6d17,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10539c42-8cc8-4f56-abd4-725b9ca4e8fc,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,363e273c-e781-4859-8bb6-aa381e6cc883,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,914def06-edcf-4a7e-b232-578c5136072a,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,242c12c5-b713-45fb-b4cf-d863a7705624,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00c7b58d-5915-4562-a02f-52ca52e9bce8,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e4e03ae-6115-4814-8f93-36418fa95396,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b648ffe-d6b5-4bc2-92a5-d6aafbb67cde,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81d5ed7d-4dd1-4af4-b0a7-e394313c4108,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a39ac27e-5001-4897-92e0-27c9923fd6c3,"4/16/2021, 8:57:28.118 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e85859df-2725-4a5b-a1fa-10690ffbae2b,"4/16/2021, 8:57:28.118 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43caa06b-aa58-4ac7-ae85-037ba505c820,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7628 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,86504a5a-02a8-4ab6-9040-832bd83446e3,"4/16/2021, 8:57:28.118 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3604 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d366092-f1c6-4485-a487-6dfd6b50d00c,"4/16/2021, 8:57:28.118 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0bdf568-1411-4f06-9b70-32ad5f54951a,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1955018d-c935-45d1-8172-c5368a4485ba,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0bb2249-a8b8-40cd-840c-144d4e078090,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c28671de-5ee9-4cfd-a768-25b8652893a6,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c738fdab-c450-4726-9677-692df5b6bf74,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,447cf199-5685-4ee8-8699-61d80fa25e24,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a252ebf-6fcc-434a-b872-faf22672956f,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1fce5c1-b2da-4727-a58a-4ca8676326d0,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e55fa6e-1387-4931-a8f2-a76be9557f54,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3213d1-9754-4b84-af8f-cca2ae6e8b5c,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17541c3f-feef-4428-b04c-77d4002eeb87,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919068a3-895b-4d47-8a17-77b55c122dea,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61ba2683-a685-466d-9468-3ec5651fa236,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c7a549a-75af-484f-b6ce-5334d572dfbf,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3859f21b-7f7d-4e04-814f-967a9b430f1f,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f9788ac-d0d4-46d8-b7d0-a0e5a8f08054,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4117175d-bcf4-42ab-b175-b1d12560229d,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9c58cf-c071-4dd2-971c-a2d031bbeb01,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,994be81b-5db0-40e2-9f38-a1d28eb66802,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7097ee6f-22bb-4936-be8d-2fe7890e88a8,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e97fa61-5340-4251-a872-ff05fd4711a5,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3313398-24fb-4e3b-b1fc-31493f1772bd,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90ad5a05-5766-424e-91ff-d5a94feaada3,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3847e1-c78e-442b-afe1-4ca76a4dab1d,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7912 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c487ac86-df07-4399-971e-6a0d245186ee,"4/16/2021, 8:49:23.736 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e380837-19e8-4f09-9056-62ab5452c071,"4/16/2021, 8:49:22.428 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,401dce98-70f0-40fb-a65e-3d2789dc0368,"4/16/2021, 8:49:22.428 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,852cf3c0-090a-4fba-a58d-b7be136b0289,"4/16/2021, 8:49:22.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4580 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2cfbb9c3-e893-4a04-97bf-f242cb65605a,"4/16/2021, 8:49:22.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2628 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b3eac1f3-afb5-4226-bfca-fb56c9f6e31c,"4/16/2021, 8:49:22.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9a35c0d-1fbc-4341-b7aa-aedff1a5ff05,"4/16/2021, 8:49:22.428 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68e5211b-9aa1-4a32-b1c7-d189fa51e0cf,"4/16/2021, 8:49:22.428 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26e89b74-9e88-4f22-bb33-30252f6f9de3,"4/16/2021, 8:49:22.428 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e51034c9-7d32-41a8-ac52-518517d9ece3,"4/16/2021, 8:49:22.428 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,327018f1-4609-40df-bb3f-cd80a68e48b8,"4/16/2021, 8:49:22.428 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d791f6c1-93a6-44c5-ad48-23b40f6e9657,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5980 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b37108cf-5ee7-425c-b8bc-be4f6481dca3,"4/16/2021, 8:49:23.597 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2bd0aeac-1907-4bdd-8328-0e2493334a5b,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9512 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4dfc714f-2558-4acc-ae80-b74c502bbbe7,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b509ed68-80db-4ffb-bca0-293c2ba1a2ed,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,51c64d33-d29c-48db-afe3-e77a34f88964,"4/16/2021, 8:49:23.597 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,9eef5471-22c5-4d54-9f4e-a6c45db7db64,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,174130c4-843e-434e-96f4-0894da68701a,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b15739e8-fa01-42fc-95c2-d98f0bfa14a2,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,125eefbd-2cbb-4b13-8d0f-434c90e08391,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10808 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + A68F28B7A6B48B6CD6CAB57C5C6411BCF3A6186B4FC6823F03D9F2A8828CFD02 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.18362.1016 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f8d22e8-064b-4daa-91bc-b92d42405d2a,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6228 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.18362.1497_NONE_16F5D4B32A2EF7C6\TIWORKER.EXE + 32 + BC24C913F9E2EED11FE1DD49061E0D4286CF68A1A36EC6CE4CF89FA5002E105D + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.18362.1497 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1497_none_16f5d4b32a2ef7c6\TiWorker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7af47c22-1cde-49da-8251-64003fe1d846,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9456 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4e65a499-7893-4877-affb-fae466fb9f0f,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,8695bed0-3650-44ca-8d7f-e6656a644612,"4/16/2021, 8:49:23.597 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac9921cf-f239-4e3f-8a7e-b4826f9232b7,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ec8d7ba-2909-4b43-8d45-2892a438d389,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,947b425e-8303-4308-a4fb-5ac071ca0beb,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10668 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c30e6fa3-a3b1-4f0d-becd-6dcffa855218,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9befc914-e1ab-41bf-9a75-dbf07367733a,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,459b5902-74d3-4c6a-bee8-d3004e488c1f,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,016f120f-87b5-4fe0-8c13-c9a0cc0ca111,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,31c6a877-cf23-4a8f-bb93-7d91a8e0edb6,"4/16/2021, 8:49:23.597 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e20455e9-70d4-4862-b007-5dfc0cbae4b8,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8837e4b4-d159-4dc2-aae1-495db6b7792f,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d5c01b4-1cac-4d38-9b7b-7a624c08d71f,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7910336-9261-4637-805e-6f6aafb3e3fc,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebdd2a45-d68e-4825-8ea3-e1e8e2779c10,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,660d0e6c-3e6d-481f-ac42-ec0a96be8d23,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2607a30-ea3b-4339-b435-4b9bd1520e26,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ed42ceb-a424-4f6b-8277-ec60bf29b0f4,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d22b5b79-1ac1-449e-b550-2e54e6420d20,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de45110d-d358-4258-909d-70eecf2d8c7c,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c02ed4b3-1e2c-4f6e-ab2d-9368f11dfd2a,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3efde0f-1cfc-4f92-afd9-47d4e6c10a94,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f3fc36c-781a-4d95-8536-afb3a7d11226,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7637290a-6a69-4709-9e19-c7eccef838bc,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1de139e-5475-4965-9c60-81e97f6f5187,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ead51fe-ef31-44d8-bc00-1f894e67927d,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db3fce7-030a-429d-8110-22f2e24e83c3,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd4e570-901c-401f-8c0c-7d819603a0aa,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b355d171-47c9-42d2-bfd1-9c97802e87bc,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,505511d4-4b27-4ee3-8c99-e3f45f71ea0d,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a27e156-55d7-478f-8ba7-37d3bfdba928,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97a73ffe-7f33-4d86-82c0-b19de1e33596,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa70efc-ca3c-4db5-bb67-35db47080712,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea73a81b-bc1d-4251-87a5-24eb061f6f8c,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3dda5ad-eb16-4039-8224-a9f9815f3061,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a94e10d-2c14-464a-8e02-34d5945e09f9,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcbf083a-98e6-43e0-950c-c130c7eaaa1b,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b21abab8-b431-4d0e-8cb5-b039ca998c8a,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e537280b-47a0-468e-ac1c-50be7313f8c1,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\A.FUMOUX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,126eef0f-b5e2-4b1e-b6ae-3699f962c3af,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb48a8bd-404d-4c00-95ba-43f14f76b49f,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f27787d2-a2db-40ae-a85f-1daa506339e2,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6db4df3b-a5f6-4f02-9fac-8da70ea17209,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d55265fd-7139-41dd-9ce0-dfecdceba54b,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b241659-4334-4b54-a045-abbe0ef63dcf,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2fcdc74-e44e-4ca3-b077-76d8cf8ce093,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2df07b4c-d8a1-4385-b25a-3792eaefb1a4,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b1f5376-3e91-46f2-88a3-689b53810211,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45dd67d1-ecf0-4c80-b52a-8972c496eb8e,"4/16/2021, 8:54:00.632 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74105444-3609-4ddc-b84f-6ffc9299fdca,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7b4b645-43bd-46e4-9ea3-f058810df39e,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bdb0365-774b-4616-bb49-7d4f90946930,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62d07f53-f1b8-4547-b5d8-3fd0ee07dc81,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\DYA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31205a04-851b-482b-93c6-b67180c57323,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab8185f7-a019-4eb9-bbd9-a3b26bf332c4,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57c3f0a0-c7af-42be-aa6e-50bed1c41b55,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29415ed1-54b6-49a1-98b6-0138bda95b13,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a9ea798-c2cf-426c-a3ae-738422bc88b8,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a9f048b-d014-4968-98b4-e720ffed99fa,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e0592be-90b3-401a-9ef0-00e6acf44bce,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80498344-fa32-4061-9ff8-bfcb6c5a862d,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d32ed64c-1d78-4cfd-aa3a-2b70160f6b34,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa3ea056-d769-4bbc-a2a8-25d34858164b,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38489ff9-7462-41e8-bdd3-877932284f96,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e198c72-4a30-4317-bb02-05793572f1bf,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d38845f-b0d6-4086-932b-09c295dd27fa,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,372bbe4a-9837-4ce9-b490-3bb91f0ccbd3,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,932be286-9b2d-4fed-abe7-acda110c7425,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21b55d1e-0d9c-4001-8d2e-713da4aa4f68,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82dab8cc-699a-4be9-8a3b-6ffb700e6b7b,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e502f40-b2c3-4fad-88d1-c085f18e956d,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0dc01875-7c85-4e29-9780-87d2ea57aa7b,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61b98fb5-48f4-4614-bbbb-77adb590272c,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c6b36b8-7f15-461b-9f40-9fb27588bfc7,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a033f32-4ee8-4c58-ab87-8c53f8def787,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb1ea52c-9bc0-4dfe-9fe7-c5096e05b31f,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0823ccbc-3f2c-496f-ad49-99e59b21dbfb,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f90e8eb-437a-4b49-a845-33c77431d83c,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6760 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d3fb87d4-e959-4a51-964d-cfc124f18668,"4/16/2021, 9:05:49.381 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8248 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1cab6642-e38c-41e9-bb3b-024f55773efd,"4/16/2021, 9:05:49.381 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b66b6f5c-355e-4563-8992-288e3f250acd,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 192 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3dc52595-6f03-473c-b37c-b68dd050ab58,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6876 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4caae823-8ecc-466e-9019-5d16f86d21ae,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5824 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5aa26eb-5cc2-49db-b645-534a5b738438,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,04dc7fc4-ab80-452e-871d-6ea0db51ac77,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ff7e45c2-39ab-46f1-9a5b-af40319ca1b2,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9932 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c23545e-85de-48f0-b943-f5a4ad28018e,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7336 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,92515840-041f-4d88-b7da-902583a68cfe,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7848 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,68f275b2-2ec9-4fe7-9b1a-9bc94b0fba04,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3336 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e4e99a2f-e7cb-4f27-8063-a1714b5f0ba7,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a439c4ad-9b86-4a71-bb15-de09c0d8e545,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1086d27f-7d8f-49c6-bc62-da9003bc6269,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,2fc92dad-6b07-44f6-8590-1a7f1d073f97,"4/16/2021, 8:57:36.567 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,b10f1e1b-fd0b-42ca-be42-9d8d987c5381,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ed1fb10-0d8a-4848-8a9c-b2a92265b25e,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d23d8d45-97c6-49be-8bff-31664b3fe650,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e50c1b0b-843e-4181-8371-1bbd9187bbd9,"4/16/2021, 8:57:36.567 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96c4dbd-9347-4f40-86e7-9ddc0051aed2,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c018aab-9814-4c82-a84e-a9e50208f93b,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e562a5ab-e219-4d00-8a3a-6726cffc1b3b,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,489bb527-232d-471e-a071-f2c61caee38f,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf2c8ce-9155-4177-8b77-8a825a97ca21,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32b2c9c0-ef70-4e20-82aa-65fece9c0ec2,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23c73a1e-9d3c-4e76-a76e-584eb59262fb,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,c4aa258c-d028-4b87-ac80-7c91e505de87,"4/16/2021, 8:49:35.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd6920c3-c7b1-4843-9541-4f4e328d7a6c,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76fcfc69-c094-49de-b296-c58d4e94f6ea,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,690002f1-384c-409a-baf2-353ab82a255e,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62c3388-338d-4ab7-ba46-3e913dbf1889,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5ac7889-7559-4ccb-a338-52c0962a07e7,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8ab9b09-bb2a-4c6c-882e-bd7c169eb52b,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e23ba54f-c8d9-4375-bb8b-92c38b5d19ac,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb18749b-1916-4319-900e-bcb22c8d6b5a,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f73f34ae-f792-4d79-bc10-dcffaa57f00d,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b6f0728-dfa2-40d6-87ef-c818e3312559,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ecffd1a-ad02-45c9-97b3-4c5aba62abf2,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30649805-3730-4640-a7d7-5b9f50cb092a,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400500d9-b368-4a51-a100-06e329aac1ee,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dcdf044-7bc5-44d5-8379-fe4641419fe3,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44b005b2-cba3-4034-9180-987901b4925a,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a348657-8417-43c8-b0bf-9bde3c5a6b94,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312e551d-bd89-4335-97c4-fbce5e3a33f0,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b876f3-f491-4e1b-9c35-7431998b06d6,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db1cc7ee-c65c-45e6-b431-213783ac6803,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9968e969-9cd4-475c-8939-969fdb5b3747,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d119ce11-6659-413f-a352-3903077630c1,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c67280ce-cb23-41a7-81cc-5177cb9bda0d,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9608f441-fd5a-40e1-967d-ea47371ea8db,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a6c0b58-cdba-4aa0-b098-3adface69f6b,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c05d8a2-a8f7-4e16-80c1-71823c7f4509,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0cec81f-f244-488e-96d0-97e7514ab676,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,059a1eda-ba94-44a8-b61a-33bfaa43054f,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec888f8-856a-4df3-8b20-b4a41bfb0c8b,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a535b4c-f866-4042-9565-d0a92aaa38ce,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59aa3cf8-4bfd-4dcb-a19f-0bcccab0c37d,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7f220c7-5b0c-4ca1-995c-d9122389bb4e,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a139d175-77c3-4012-89d5-5f2f6061e7cd,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,460192e8-0801-41a3-8cd4-95d3a634df66,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7629283-9aa4-4e96-b2a7-796d15b24e86,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,910cf8a9-338e-40f3-975e-1ce2604fa4cf,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82052946-edc7-4a68-bb83-0bc4d5410bde,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc5b609b-5d4e-4c61-8f9f-d85af51c4f9e,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f873b6-99b7-4c8e-be17-5ee87d133eee,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e97c07b-171f-4934-9c86-a0f431e7adf7,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7c0dbfc-4471-4c2f-8dd0-964ffc5e398b,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afec7417-2799-4490-ba1d-e407652e99c7,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d1ca9f6-4a4e-4912-b50c-02bb3846a5b5,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1abd9296-a962-417d-9c08-3843f6e60baa,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ad3ff2d-f153-4d94-a6fc-fe15ffef7b03,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\EYU,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a488673-9799-4a63-9053-17726b7064e5,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7662eaa-cbbc-4f3b-8f46-ef98c23c79b1,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b856ef94-9b3a-4eab-bcc2-97aefe7dbd07,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae4cbeae-edeb-428f-bb8c-bbd7fb1d9d19,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fca70bd4-3414-4a98-ac98-864061cb4b06,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eabc019f-1e80-458c-a101-741ffa7364f7,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e354979f-c356-4c29-a25b-5d00612f1991,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcdb6454-96ae-4a73-a3cf-d361f21635ec,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de3655cf-a139-4e4e-b926-37af6aa70222,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e51afba-8659-4247-abd5-43d98df69a60,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77d2450b-a296-47ba-9d43-d44bc118b8e5,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48e088a6-e6c3-4e27-86b7-d9cd968756cf,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74199599-163d-4423-b139-d561654823a1,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b40a162-5150-4b83-8c82-6461693b29b3,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52df77cb-5139-4ecd-a42a-5b5ea5f1e81b,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,013d38fd-1318-4025-93fd-0fd9992bc55d,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1f261c9-83d3-4f7d-82c6-c4330bb6319a,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abb95dba-ec74-4726-ac79-2abbefb0107d,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8440 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8e144f3b-a7ee-437a-923b-bf30acffad9e,"4/16/2021, 8:49:49.318 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5312 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3a89eaf9-11d1-47bc-8568-2ca7185688c6,"4/16/2021, 8:49:49.318 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,242f9ada-1cfc-477d-bb88-4c8ca20543c7,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45314145-cbc7-493a-a83a-1cb35d742be2,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7811dc4f-00b9-4562-9da8-1fcefb6bf8f6,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,317d2ac3-1f88-4a09-bd9f-55534efabdb0,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f807e8d-6cfd-42d9-bccb-73b3c11aa5a7,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c844424-d273-40a7-b2dc-f9fdd8f8eea0,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11271be-a8b9-41ea-8786-901f56ac0810,"4/16/2021, 8:54:06.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d6cbc44-9043-4e0b-9854-0960fc0f97e7,"4/16/2021, 8:54:06.108 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72f6979f-1122-4c76-827c-c3131668fcd0,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23a8c118-cbc1-4301-be45-96bc2b008f4a,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7dca8a9-5e52-41c9-8778-3ff5e3aad37e,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33ecd040-1923-4dac-9a94-14d56e315300,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6668 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,82062461-c8e1-4faa-a062-be4df67ec547,"4/16/2021, 8:54:06.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9152 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6c0bf2-2439-4564-97f1-5e05dc17d6de,"4/16/2021, 8:54:06.108 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61802f94-5be5-42de-b498-d14823881af4,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0c53429-1b8d-4501-a06b-74e606a38a53,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f93dbed2-4c38-4320-a65c-d0a42f838aed,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea8e2657-2df6-4d6f-8911-aaada4955e7c,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31d2725c-9e31-4609-bde2-bd4c380865c5,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a341d1-e105-454e-90b2-9d80055029f7,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3300b3-925c-4849-bdda-897d015e4062,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc87345-fa42-49a7-9f9a-ffd37182cb73,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b846ef7-e168-4e92-af56-4cca35e3732c,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9399ff63-28ad-4cdd-9a49-05bdf2c84652,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1698d6c4-9ed5-4962-bcf7-12494e9b2578,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff4f8607-6294-4810-991c-2e1d38c93a96,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e3376b4-9c65-4c93-ad1e-b32254623e81,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba312056-2e98-448a-b482-2f73ed3377fd,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07f7075a-60a3-4d4c-963c-1a96106c9c16,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0731c3c-b165-4594-b53b-8a5c6f15302d,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35a054b6-9024-4843-84db-cc5c507a7593,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e06066a-925f-4252-b991-6505e48cb9e4,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,43f5f86d-03e6-493f-a1ff-ed91cf680c41,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3cac50c-809e-4ef5-80df-58c54799d43e,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8cfde43-762d-4bcf-891e-2a8c26b1478f,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bc6365a-2ab6-453c-b264-ff220c3f33d9,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53dcd2b6-5c12-40aa-904b-d9f89b7a068a,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9496752a-f738-490c-8e64-e98bb64bcb40,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,43dc892b-7ef3-4390-993b-77b9d09b8bb1,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d222e7e9-5927-44a0-b997-840c5ac387ff,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc6e936c-03f3-46fe-90eb-a5eb78b0037a,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd212556-0c5b-45c2-b223-37ed574431ee,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9903b52a-feae-4f45-b1e9-6a2961011e79,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,753f2872-caf9-4d16-ad5a-8da6fa326619,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ed05e2-210d-457d-ba68-b95894835f03,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10048 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,71c080b2-3e22-46cb-83d3-c8f23c07ba9d,"4/16/2021, 9:05:48.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11176 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,372da49b-6320-4150-8bbd-795e80da9d2b,"4/16/2021, 9:05:48.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f7c3ff08-1edb-4bae-8cb2-b7f0378652c8,"4/16/2021, 9:05:48.999 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d463c436-0557-44a3-93f3-a82cf6b6f5c9,"4/16/2021, 8:49:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,09425e31-871c-46b4-a742-29b3766b8615,"4/16/2021, 8:49:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,215af64d-d35c-400b-a123-df8de3c41ade,"4/16/2021, 8:49:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,55b58b8e-be5b-4f92-962d-c889c5ea9d47,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6d643cbe-39f9-4de2-a599-62418d7625c2,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7d2e3747-c206-4121-8d24-647a906c8a2f,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7000 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9eab2fd2-f777-44ac-b32d-10f7bc64cdf7,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,96e6117f-12c9-45cb-8480-647faaa37182,"4/16/2021, 8:49:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,30ff6863-6151-492e-a8a5-c8e1bd7590ff,"4/16/2021, 8:49:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,917bc94b-7f88-4f52-87eb-6418a6feec95,"4/16/2021, 8:49:52.740 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9640190-1cfe-43d1-aef9-d64130a43ee1,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3f7e2d62-908b-46e3-b6ef-cb410ebe96d8,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3cbcd7a6-c573-4132-acbb-a597c623bbbe,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7882caa1-b9a6-42b6-a28d-b5526ee0fc3a,"4/16/2021, 8:49:53.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,48edce95-e218-46b2-8d54-5a79cc4bee1c,"4/16/2021, 8:49:53.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a53fad4b-8bb9-4e3b-8905-6c7c468449fa,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,314aba7d-d449-4b85-892d-92b45dbca580,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ca5417e-80e1-491d-a10e-1fc715b2a3ae,"4/16/2021, 8:49:53.055 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df74259-dd32-4640-85e7-cc6e4f6cbb34,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87cda7f9-e573-4483-a987-5889723ea2ae,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab2d56de-c192-487f-ab48-29622211caf1,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e9ecaed-9e8f-45c0-b971-7df057142776,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d328f9-e551-4b26-8af8-679bd6a91aab,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,691e1ecf-25a7-4db0-8e38-116128a23927,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e954988-02bf-4fda-b90b-cc61aa80a899,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc7f817c-4d8f-4073-8637-ee2bab302d93,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae653b87-3145-42bb-a741-2a3386507f45,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1630fe3-6919-4479-a3cb-5ce82baa1df5,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d011572-6c8c-49bd-9c2f-93e0cbc4caa4,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56e0f8b1-eaa7-4db0-beb8-1321086a39ae,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d3ccb76-1aff-45b3-aba1-c4f2a48697b1,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,255d51df-450b-425b-ae4b-00de74fd6e0e,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13a2c00a-ddec-4cfd-b954-156e2154f99c,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97c10f2d-4703-4320-ad09-8d4d364cbe22,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebfed54b-5fc5-49b7-be3d-2762b3a0a9d6,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be7b182c-bfbf-46c6-b144-9d66bbe0e150,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd9f707-b200-45dd-be7e-4d0e7031cca3,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a303ec-626f-40a0-b382-769ff8f9dea1,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0eefbae-5cf8-458a-b982-be85062ca23f,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d988f7e1-d0b5-4a3f-9fbb-b7d8f5a5c939,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2f1ce80-3938-434c-93d1-50dcda87352d,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53dea92d-80f5-43b0-908a-7b892bbf02b3,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,071481d1-2974-404c-947b-d053151b070f,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f478666-3767-4fb9-9b1c-1f25ee0133ca,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a7cad165-ba40-4488-973b-7623cc9a6f08,"4/16/2021, 8:49:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,94163ce9-6a72-4992-bef4-2921bac66e03,"4/16/2021, 8:49:56.990 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df91dd3a-d730-4e0d-a9c5-1da52ca1ef62,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4ae873d-d438-41bf-a9c2-426c65e55886,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1031c6bb-6da3-46e3-a503-fa0409b87c87,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93392c4f-884e-4e11-8ab5-c68b9392e131,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f57346b9-c9a0-491b-8a01-fcce019c5455,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e59909-113b-4832-b3d0-a5cf72d24441,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9c275e8-3bbe-42bf-a380-ed15b8e5792b,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02f77d81-5c01-4569-b5f4-0e25bdb261f2,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41ca77f8-c291-4517-af50-13e195592845,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7a38f9-3c28-47b3-932d-a70c7a2a5d3b,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44c767c2-842c-4aea-8c1e-755db4ea6d44,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85fd2d95-46ac-4e1d-84b8-33781141e696,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f149094-43ea-4dc3-94cc-b25082054e6c,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94db094f-b52c-4646-b7d8-4fae16ce04d4,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,762a9e4e-f8f6-492f-b135-4bee87e22bbd,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed621bc8-1b17-4661-96ae-4111b0c3b50f,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ASP.NET,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7aeefca-ebda-47d2-a09f-ae8f8c6737f6,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ddd0ca7-11d8-4cd3-95a8-64818cd1d0ab,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4576cb3-850b-449c-b334-dc8b5c62d900,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7433df2a-cf64-41f4-b6fd-8d33cb74f60d,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7951329f-57be-44c5-9a70-f440889d27c9,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ca312a3-093d-4c8f-8de5-8bc584a1de4f,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a26e22-693a-4d9a-96c8-453cdaff4328,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7c4d6d3-36eb-4a39-be3b-ba1e60c1b6ba,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c03f09f-fcdf-4dc1-9639-66443b87ccff,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c536522-3372-4bfc-ac0c-8dbb608924ee,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eb23e75-53bb-4493-9044-ccfeed094602,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76ce18f7-97af-4212-ac97-dbd4051d4bcb,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba8bf22-7e5a-4466-8e09-69fd6a7f9c59,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b888f82-6482-4eee-9087-34c89a9da51e,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fc78e69-8c2c-4b7e-b64b-b573f6158009,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfca755e-f744-4a3d-98df-c85d8e7987ba,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85ce5308-6fbd-41af-9757-e4469029491e,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9feab0cc-1ffa-40a1-a7dc-e7f111523f81,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c8fe7d7-0cb6-44c1-be13-12cf73065472,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07340a7e-2673-47f0-8afe-e779b382a5ec,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84df1f5d-fc77-49d9-bcaf-7759ebf72d82,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b492e970-da9b-45a4-8036-7c68acbca202,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,041c9293-cddc-428a-a597-4cf47cd5d1b1,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75ba3b29-37e3-49b9-abe8-54516ed4a819,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85c4cee4-2c2a-470a-aa40-ba90e0501172,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b3371e-c281-45e7-8fdd-5df2f782e2b5,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6cdc21-0ec3-4579-b40f-dd5372120d6e,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,184f0a09-4153-4a0a-a67f-62a8858c8bdb,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa5e44bf-f831-42b9-9e0e-0fa942b1ea36,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2326b750-43d8-42ce-b1bf-58593ff20ea0,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bed46ccc-c0bb-4a2a-8569-217f3cf3c029,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7260e83-b058-469a-8d67-22c8eb83cb37,"4/16/2021, 8:50:04.648 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed8631d4-58e9-475d-8f65-8f81e8ca19a8,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcd50136-1d86-4b57-95ce-dace4f70d15f,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4323bdc3-8fe9-4d18-a35a-12de66d8ca37,"4/16/2021, 8:50:04.648 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5b55f99-f23e-4824-ac51-393908b262ce,"4/16/2021, 8:50:04.648 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35b2cdfd-016d-430b-99f0-b5eb81b0ce3f,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1df5c8a-05b0-4c9a-bf85-a2492f740369,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97b6553d-c553-434b-b05f-52546cefcd7f,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4268176e-243a-4abc-8480-041caed8a85c,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bd98704-5272-4f0c-9ba5-12f29dc7feb3,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3167c73-3f1c-4c62-98e4-31675c32b964,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,007e8758-8f37-4cbd-813d-b2e0dd8896ff,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20adfa84-bd56-4b52-b039-378d6f01947e,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4adf58a-d47a-4f23-a3b6-db9ba45b6b12,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\JOHNYNOPROBLEMS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f9e58b8-3702-4528-93d2-6c1a9d9b98e1,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72994b48-a7ac-44d3-8b40-2052e2a0fde2,"4/16/2021, 8:50:04.648 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27f15fd1-b8be-4d57-bd34-151b0ab830ae,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d62a2b00-8b50-400c-a030-37e9486980c7,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fcc8e3f-b87a-4615-a95b-9e7474b85a58,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06287ee6-1ee5-4a77-8201-7f83ffcf5b7d,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,352f7172-1bbf-4538-a42d-0eb1ee1b3cdd,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f1f46b87-8104-4765-b3cb-5a9538444f2f,"4/16/2021, 9:05:52.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dbdfa75f-f866-4f17-93d1-73b9d73a31ad,"4/16/2021, 9:05:52.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4616 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0525a088-14e9-49f7-927f-c31d8ea9eb11,"4/16/2021, 9:05:52.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,489b4706-026d-46ff-8545-2e1ae33f9b93,"4/16/2021, 9:05:52.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d36ecb8a-4993-4078-a0ba-a54b1e2efabe,"4/16/2021, 9:05:52.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4fb5e112-0b42-41ca-adb6-0807c20eb49b,"4/16/2021, 9:05:52.774 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4c4059-a9d1-4670-ae5b-68936821262d,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78a0ef6e-e237-418a-b3ac-04032b0e4d2b,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add90f0e-8940-42f3-aa34-eb6bef549555,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80fbc4a2-f5dd-4b0c-83fa-0c5915c501b6,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e923777a-32f9-4784-8abe-ca0ffa085133,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a0eaeae-414a-453c-989c-12e5f5ccc3ce,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1138ded-bbf5-425d-a277-7d83ec16f6d6,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5192541-f4cc-4f12-9290-9f735dbf6fa6,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,e65596ae-726b-4046-b9a2-4bd0b5cfcd8b,"4/16/2021, 8:57:36.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4cfd502-2635-4138-8c1d-cfd5789bbcde,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f53f1faa-b1ef-478f-b392-68760c174bb1,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5ffbe17-825c-43d2-b510-6d8a18257aed,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66ac6631-2ef0-4900-81a3-c89be980cc84,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b858ecf-4f51-43f8-ba97-cbdffc2ea705,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c81a7fa-816d-4965-9c25-2d6f94473b17,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9524ac24-769a-49a5-a7a9-4f47d8b67fb0,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\DATA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9da5016-fd37-42a6-9fa2-b364228cd0a5,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75ca9ae5-f54d-4d5a-8f31-3d84122838ec,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f7c3e09-fdfa-4e9f-a804-8eca96124e11,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b51bb1-417d-431b-a03c-b016437b2021,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1612969-6f3d-4475-ba39-a37059957647,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb31df56-3e7c-4f9b-b3a9-14b986b5b89a,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b16050-fc9e-4348-a0a6-d2869e4af2bf,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda13472-f55b-466e-9df4-16cdbc8b184b,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20400873-2468-461a-9f5b-02c09fbae567,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75296833-f214-43df-bf30-f2113f989859,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9d24791b-6999-4d50-b14e-bdb1b4ac494a,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dd5aba3b-8ea0-48c4-8726-5101d999521a,"4/16/2021, 8:50:06.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7344 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6710ba06-e15e-4060-8f47-a1741e004b5f,"4/16/2021, 8:50:06.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11016 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,77a19318-3a23-4aac-9a3f-1ebfa61a293c,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5979420-3616-4721-8cff-745fcdbd1ed1,"4/16/2021, 8:50:06.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6832 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,45ca5afb-522c-440e-811d-489c937c5ba1,"4/16/2021, 8:50:06.546 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,75ea5d32-8b09-4300-b3f8-0c3ebfc5b388,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,f6068b78-b955-42aa-bce8-4c36deb27de1,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,2172db88-aa90-42c9-a285-bcec6d04c04c,"4/16/2021, 8:50:06.546 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x40f6f78 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,a887430a-319e-4437-9bce-c9a97b4b5080,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,0d30a2ab-2ffd-46b6-b933-fd7fb0d44e23,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,c137d9f8-d612-4899-8a8b-99c10e2b1111,"4/16/2021, 8:50:06.546 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f1590ce1-b0ca-41f7-bf91-ec434aa3222f,"4/16/2021, 8:50:09.853 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ace91aba-2f88-45e4-8430-8f28627a2ae4,"4/16/2021, 8:50:09.853 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4620 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,31ea18ed-a0e5-451d-b8f2-b6246fb9549d,"4/16/2021, 8:50:09.853 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1516 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e71a31e7-edc9-4e09-a23e-1d82120542b1,"4/16/2021, 8:50:09.853 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3535bfec-5975-42f0-9716-4f311fc49afc,"4/16/2021, 8:50:09.853 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,645abae8-f540-42ec-bf7a-f6d7f853db75,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cf96f62-bbe4-4e7e-9517-aaed16de8ad4,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1f8d4ba-a002-48b6-bb87-4e6c9dff9c7f,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e3ed307-66a2-46ad-b70a-abf608ea64b7,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87b1f972-4ec6-423d-ac1a-6f25baae9782,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22abd2a8-9a38-441a-a272-f8daf35ffbe6,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba8dfd8f-bbc6-47ee-848e-4fe643ad9784,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96e80def-7973-4e71-8ee5-bae014fccd45,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,664e94f5-440a-474f-be1c-cc52cc23bc50,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e90c9ac-3a76-4fe3-a955-4bea676402cc,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97384b3d-a580-4812-967b-dcd143660782,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bedb1b24-ad41-4de1-8dac-33d6a0c03337,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a7dcd4-32a1-4445-a575-e10dbf4a476f,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99448d72-0745-4b81-af84-2545414a5fc6,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a465dfa9-0fde-47f7-af4e-611361156ab4,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c3847b5-0176-410c-82ae-387d8c626d0d,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c62ae997-38a4-476f-9943-0ba385372681,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a357ff8-c91a-43eb-8cc5-2ae69b3e9adf,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4387019-c90c-49b4-9e30-79e3ced91313,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4b29016-8572-4416-9a18-31e3f8871217,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,049b390a-5249-4a73-8227-26d4d4451c49,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df22397e-e57c-4a38-a232-a61bb97ff4e8,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f9a06c-9708-458f-bc3a-995d74a5a17d,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d9079b1-ec1b-4475-9c1f-0c9bb8585756,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,603b47af-1fc0-48de-81a0-2a5633a918eb,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,465379e9-98f8-431e-985b-0ea63e860aa7,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20075e0b-a614-4fdf-89b9-6d73618ffaa3,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51f31804-7c5c-4fd0-b819-ebfcb876207b,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,90880ed8-9be4-4bd5-8b29-85c80c2bd2bf,"4/16/2021, 8:57:44.861 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1592783e-b2e7-41d7-b2ce-a95d8394e986,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,da0ade06-ea01-4b6b-9322-b5b6fa21721f,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7678d737-3be0-4412-abb6-8358b2059272,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4823709d-5511-4e41-89ae-f301ee5ecef9,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7d9482a7-fdf8-4fa9-9a2c-30128158f036,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,47c283f4-8b70-4e51-83fb-86ab26195a2c,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b52e1bf4-bf35-496f-ba60-8133e17512f5,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b024c36b-979c-4665-ac6b-f02bdbc7f65a,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,353c856c-bf84-431b-b032-593c20d2b011,"4/16/2021, 9:05:53.068 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,fd38bbc8-68ca-4a52-b940-8754a8560f6d,"4/16/2021, 9:05:53.068 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,dfe600e1-1c85-46e8-b3a4-a36bb2b67b3a,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4df63200-0ff2-4fa1-b3f6-6b33dec891cc,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5478720a-e665-472a-9042-bb691f8cd41b,"4/16/2021, 9:05:53.068 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,e7824ab8-4261-4b19-8a33-d182dc610835,"4/16/2021, 9:05:53.068 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,5fb55af0-d71c-4abd-aabf-2dc97d1e79e6,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3eabfa81-b8b0-4b40-ab78-93baa1d17d55,"4/16/2021, 9:05:53.068 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,25be24ff-85e3-41b1-9817-28f0976798c0,"4/16/2021, 8:54:12.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a436e4b6-b3d5-4530-9c43-4f2b413b146f,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0873401-0ea5-4448-a74a-35375af67000,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4268e15d-b538-4465-a28b-9bfc94db09c3,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,be3a3648-f73b-4132-9fb2-74851c290294,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,08b66441-0bba-44a7-97e8-c5899fb546c4,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,77b6be97-bf3e-4b58-8d1a-ef42cc324dd9,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fbdca074-d88c-442c-a73a-de76619d0620,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e22847e2-b13b-43ad-98ba-137ba095b625,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58aa23ef-e4ea-45af-bc75-22ea45a07b6a,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,70b9fef6-cd2f-410a-b83c-d4f66b128bb0,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,baca7cf8-c52e-493c-988e-a795bb4f3186,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,56d8061b-1ecf-46ad-bf6c-83aae3a2fb6c,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ce00339-7b81-4cf5-a76b-ff467acc39b1,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f63138a-02cc-4163-99a9-fc794bd7b6af,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b281c154-e706-4983-9863-27ca1d0b2a4b,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,042b02eb-21ae-46cc-a02c-c164f142aedb,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b98f4862-46bc-4b5e-8b49-4cbdb1062b7f,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c584f36a-878a-4e3b-86fa-6f7d0afb0f94,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1793c71-f001-4acd-ab4d-641c7dec72b7,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b19014a2-d5e6-4ebd-a393-88a049578e2a,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f5bf0ef-82d4-4904-ab02-def1b0eb91ab,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a14c128-4e27-4081-9cfd-71d32e68fdec,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,594d7b05-0e24-48dd-93c3-f58f00db9d48,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,30e3cff5-3726-4017-a90c-bd7e2675ffd9,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,23cceb66-308a-42ed-9064-2dbed3b23f69,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5648 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4194c4f8-f065-4f1b-b600-fd357c281bb5,"4/16/2021, 8:54:12.423 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e44ebdc-02e2-4fd2-8934-f6d75de1efb3,"4/16/2021, 8:54:12.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f19b2a28-137b-4ab2-9463-8297e012de82,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4512 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3847a99b-f011-48f3-a282-b3957bfeac4f,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ea55c4b-7c3a-4b97-8798-b4b39514d6dd,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,34ee67e2-916d-4d84-9245-0547f6c3cdde,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7848 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,35d91bf1-0c89-421a-bd87-37b42ea821e5,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5640 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6fd31193-4428-4c6a-a3a7-182678e9cdbe,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cee0189a-a1a9-40fb-9f96-d503bce3e5c9,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc4b589c-a801-41d4-8aa4-30fd1d255498,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7284 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2bd43ae5-36b8-4b4d-9929-4fa0ed005602,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5556 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2e1d1fbe-8b27-4a95-8c23-153faf8606f1,"4/16/2021, 8:54:12.423 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d32e9b0-d735-48b7-b56b-db6f625e38a3,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f534b52-2b48-4613-8817-2af47426ce84,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9408fc1-e2a7-4135-b6dd-d386c7801170,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff0521f3-0bda-4c20-913e-d3890b1cda13,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140670b1-e23a-49b0-9e20-88112fd9ea11,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e93ca02-2648-4cc0-9109-7851fedf88ec,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cdf9e25-b4eb-4f57-8b8d-0e872b1c8a24,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73a48c5d-a29c-4fc2-8aa7-e95dd44f4141,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,903a97b2-a3f7-45cc-9a5f-84c62e0f666d,"4/16/2021, 8:50:23.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f858e0d4-e16b-4f41-b9b5-9d9dded68897,"4/16/2021, 8:50:23.108 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68b697fe-8af4-4b54-b7ae-22c0302c49be,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4735f50-4bbc-4b8a-8fff-3040faae04d2,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd5bacbd-140f-4fb8-ac5a-36d80b45585d,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a074197-9aea-4246-98ea-4ac674920bab,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7929e9c7-1ea4-4269-8db7-d1c2120914e2,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8968 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,23183a23-c304-43ee-8239-541bd65aaede,"4/16/2021, 8:50:23.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1016 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,72bb7220-5835-4334-bba2-557689776796,"4/16/2021, 8:50:23.108 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c02fcd84-ffb6-428c-9c03-7d5015f91f2f,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e14bf2-13a3-4e0b-a0a0-617c7f748ec9,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42fccf75-6d26-4f91-a2ad-a1469f3d5ce7,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb618d4d-7dfa-42e7-b9cc-80f69b9da365,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a15f258-ca14-42b4-ba06-0c4bd33ca0ca,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f55aaf5d-49f9-40b0-b389-9ec17f739e46,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a456765f-35ff-4902-b0d1-1e3c853a26da,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,24c059b1-3372-4e23-a79d-1af8edd14b95,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,51476e10-8a44-4ffd-8ac0-257df62c22cf,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3c331f58-a6e4-4ef9-91cb-e71080182401,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b8871ca5-fb12-4013-92e3-c04274072f1f,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b41d2ab1-e907-44dc-aad6-af4f1ea166b7,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0df283b2-0a0c-420a-bb7d-bbcf3e3b3dc9,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,51745e01-dab5-4e50-a2c3-28d720ff754f,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d3f5277b-e415-4620-acc0-a09d5e4a0209,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2e48fdef-bf6a-41bb-b2c9-d649295ff921,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f962ddf-88b8-466d-b2bf-a2fe02fd7c66,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dacf66f6-2044-4979-b4f1-cbb5fd24419c,"4/16/2021, 8:50:24.049 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6bc1c01c-b3de-4cd8-a50d-2dbe12513143,"4/16/2021, 8:50:24.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9e466098-e77b-4586-a121-0c3d7cd9a182,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5420 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,19521cd8-dba1-4ca0-a57c-24249e90ce1f,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,086d3889-d506-4b48-a85c-2390a893a7e1,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5456 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dd609272-750d-437a-bed6-8c856dd826d6,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6a043268-ba89-4a11-8951-f551ed0c381c,"4/16/2021, 8:50:24.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0edb2ddd-3504-4974-865f-10326f25e248,"4/16/2021, 8:50:24.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,986c647e-bc07-4217-a28a-8070faddf810,"4/16/2021, 8:50:24.741 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1dabf28-489b-409d-b3e9-85dfc59a28b6,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c3f2fe3-75ff-4cab-b60f-728659c2b94e,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e222883-d3c3-44b9-a960-86bcef112ca5,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a02bac6b-8da4-4a6c-af62-064cbc1c6854,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83dfd20e-f500-44cb-89a7-a0818713abba,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,475adf52-3063-441a-a6a1-5d30b1d37bb2,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2713d50e-3e6a-425a-869f-cff288f3c7d9,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0c6b727-24f2-4dcf-adb3-06158b928483,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,532ded93-6bf0-4dc7-9a63-5851d34478db,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6071460-88dc-4614-974b-610fe818b443,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b79eec9-78e6-4436-b7b2-f95d683feaab,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,812f015e-7f4b-4cd5-b418-12f49541ccb6,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f78b4c6-dd0e-423a-b786-00b63d0f6bdb,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,052b877c-5d87-4be3-9364-0dcfbf246d9d,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,355bdcba-fa18-49ab-9878-bae908d8f4bd,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de33139c-1abf-49c1-a7b0-7c93b0f9055a,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7832d515-304e-4605-9645-0fd7381dffc5,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,527a1ff3-15e7-4dba-8935-c61dbe537c30,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5350cf9-405b-4989-aca9-11bd46ac723b,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0638aedf-e3e2-4523-bf54-1d23dcb5f8c6,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47fdc91c-fb6b-44e0-bcbd-12d03d6e12ab,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e037f51-aff7-4b0d-8845-97b6019f0c32,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,749da945-efde-4b76-89be-03b0b2e86ab1,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebf0c4bc-975e-4630-b50c-642bd57caeb7,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e1e357-2449-42dc-95ae-40e10545ff15,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5141794a-0bf3-48cc-9b75-49d3d798412a,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,353a5719-88ac-422f-b1d0-efe500c19254,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06c7e136-3d90-463b-85bc-bc8546542632,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2209ce2d-d284-490b-a868-f5c194c2fdd5,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16b5c761-1a91-4dd9-bb6f-a2b12a5c7049,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6f9ede3-0bb0-4d86-ba53-88f910115d5d,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e74d1be2-0d69-43af-8d45-4cc0326d373d,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfb1d286-0ff1-401d-bd4d-c559989d3092,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37aa4fd3-ea49-403c-a281-6a7673e2b0af,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02abff0-319d-4ab0-b682-bb6f7baeb424,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96b642fd-fdc4-49cb-a22a-5182047c1095,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9158b5d5-7bf9-4a2e-b192-4b7d1327cbf6,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba51b2ed-1402-494e-bf4d-c82855e5eda5,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b38e94-a3db-4152-8616-9fa0a2c2a7a1,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,013a5340-d63f-4ed0-95e3-fb3e8c1997db,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd988efd-c52d-4b08-a513-05afad0c5eaa,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e51aaf-d2ce-49d0-806c-0ea06d6135f3,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bbe0781-35ba-4d4d-b539-ea7e278c95c8,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bef7d63-f7af-427a-8e3f-027668034f90,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df884838-cdb1-4fca-a748-a663f1ef8e89,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e37f848b-0e24-421f-b70d-c86e22cf19c9,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63862cc4-1e1e-45d4-8527-e76a539b3a8c,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d3bfd23-7901-47a3-9fd4-08e3a23b33a7,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1743b116-4e39-4141-a072-f90df7ce9c18,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f088ed27-9f42-4fbb-9929-fbc80bd34547,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,394b6b50-e9ae-4e6b-8c40-26d9d2110b45,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,004b3d0f-4990-475a-8cf9-13621a9ab9c7,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab9cea62-8faa-46c5-9049-b5b7e4b59f05,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,942d39bd-76c5-4e89-926b-af375a0eb733,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1676596c-15b3-4204-bfcc-22608133179a,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c349769-ecc5-4421-be46-28897be29bb4,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b665c0c3-c870-4690-af91-247a7ee4a1c3,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e40dcc5-e0c1-4595-bda9-f216101b2194,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3faace05-b4a3-4e6b-b347-5e245ee4c33d,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda9e85e-a419-4e4e-b22f-ab65f21d08c5,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08ca8356-68b4-4b5a-af33-c985d66f7e5a,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e474dd15-fa61-48ab-ac9c-e6a064f4c112,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b7bb41f-f462-4ed8-9f42-6bca20498901,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a957a2f-0a5c-4a81-becb-ab954f7dbffe,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a011663c-48de-43e4-8326-a3dd32b58f18,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,843656da-8e2b-4892-acea-180b7a91a3a0,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c178250-5dd6-42fb-96b0-debaa82c926b,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db6c1443-e09f-4dee-b212-8f5a61751aa9,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,921e1610-1e10-4440-afcf-2b80ab7d4835,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cd8df2e-c22b-4462-9685-e2f702c00e3f,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5322312-7b96-44a2-8d89-c9565a09d70b,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a70bbbc-c346-4143-b95b-b1ea82dbe030,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adec0012-f617-40af-80bc-ae83a713b11e,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c41c551-2c7f-4041-a1fc-cf7c496d6625,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecf53763-ea08-4fea-947b-b0cf4dbe30b8,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eedb7a69-9149-45b3-a952-f77eb42e7568,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,848ae14f-2aa5-4969-b005-88036de3cb84,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b29a5a3d-5731-4170-9744-e9910ebc980e,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4ed7d53-8414-4f92-918e-d9df81a06ab1,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87cbd98e-18a7-4b57-aab8-49eba95a3cae,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9093e19b-b5da-43e9-a651-9ab230bb9b10,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83d4b679-8bc3-4fea-ab63-f5c4edb88069,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaacca3c-46b0-4106-a4ca-2f618dc45cc9,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc8f2cb1-a2b7-44f2-832d-75bbe3c790ad,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b31c7c89-5d10-43b6-8773-174038685bfc,"4/16/2021, 9:05:59.683 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23a2a98b-a5d5-4b56-8401-95ae7c79ef27,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3f67a6f-3d9a-43b4-83e7-8b0f1e0d4249,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,765a1e8f-8034-44c7-908c-e0b8b21eca5b,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06b794fd-dc44-4d8b-8d00-19c00f271e4e,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4472241c-bcd7-479e-ab4a-899371a0c812,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dad2dfe-930d-40d0-9515-57c281685deb,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,303f9ad1-64ad-4fbf-93d8-fe4abd5408d7,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74ef45cc-d64d-4d05-9f76-e4d34ceed598,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edda9b20-799b-41f8-8a93-30e2839c3511,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,923a8a08-365d-4fdb-8521-c48d2f0ec028,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7319de6d-738a-4c84-8307-311b9395e2a1,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26d151e-667a-49a1-b112-a4dd7477e0ba,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de2cb910-faa4-41c3-a3bb-f8741f0416c9,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1db126-b38c-4fcb-8470-850dd4324350,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a99f7e3a-ece2-4f1c-b595-fc2fae2f72e5,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db8c151-41a6-4d0d-86d4-a254c2a027d0,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ab85d4-ed36-4a58-bf5b-b42be0b52808,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5dedf2-eccb-4811-affe-4d1703ee97e8,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e70c1335-d428-458c-8ac1-9085a20108f7,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb755665-905a-45d8-baa0-d02a4d552277,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f772b338-2754-4f12-9377-a8c7cd5db4ac,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e6a4b3-dc6f-4f81-bc9c-a8465dfd721b,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e49f24cc-3d9e-4cf8-bbdd-3aa325453ec4,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da447902-739b-472b-b51a-a56ea1b55549,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e899b90-57a2-4df1-8b36-7543b9edd0ac,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda95c8d-709f-4460-9c24-f4e1e9b1382f,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f7e42dd-5d08-40bd-aa8c-4a664e7aaa34,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f5fa22-7924-4e40-bd9e-a9855ad3cb18,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129886c8-6843-4042-84b4-b07250e2bac2,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d445ad57-64e0-4c65-af10-1a49577c9259,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,199d3b49-ebe8-4c8d-8109-7b3682500e33,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e439c532-c377-41a2-a743-fe5b9f12ed20,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5d3dc261-a5e2-4209-b109-94dba7133bfc,"4/16/2021, 8:50:31.860 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f53eecaf-3990-4f97-bbc4-63ba02ca0533,"4/16/2021, 8:50:31.860 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x2416b7d7 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,162150d7-9b65-4e77-9ff7-896dbafb9132,"4/16/2021, 8:50:31.860 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5e5c6ad8-6681-46a8-bdc4-e76d22aecae8,"4/16/2021, 8:50:31.860 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,416d9329-98de-474d-9b47-ab1c3abff171,"4/16/2021, 8:50:31.860 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,20162c42-2562-496b-8778-3cb59499445a,"4/16/2021, 8:50:31.860 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,247b9b37-4097-4834-a3d8-4c6ffd8def5c,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,903f5b9b-3be0-4d4b-8cfd-d449c5f8f4de,"4/16/2021, 8:50:37.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66beaa7b-86e6-4a0d-af6b-c027c3c7e59d,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca0678a8-3390-4d49-a50e-a322c523baeb,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4de60739-cc76-4fb7-85e9-f1fe85c7c374,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aecf83d3-7a12-4335-b39a-98794731d587,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,307e3a76-cabc-4965-826d-777f6ed4e76a,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c81e0c4-06fa-42f2-84c9-d6d0a09995a1,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3fb23aa-a8fa-4d7e-a08e-ded6831265c9,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46512883-034c-4233-95e0-44a67305a562,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fd95f23-8336-4944-bde9-c23a48cc1db6,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,788b3e50-0e95-4967-be5d-91aac55a97ab,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c4ddaf-61d5-4d03-9978-3f397c67164e,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,746af6c9-50d0-4806-a221-7a9c6907028c,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfcee1cf-4aae-4702-a8d1-848470ba186c,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52cdc7cf-5005-420e-9d18-de3463f25526,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3850430e-8269-433c-ac2e-5a2328f6dab9,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d615cb1-7f00-47bf-a8b5-6780f003aa82,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5acce280-8f33-423e-84b4-2189af88015a,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f792780e-1de0-461f-b506-5934d7fed659,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b124e4-1e1d-4e84-90e4-d1ace90081ad,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dbfe974-464d-40b8-b9b0-40dae863edb0,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1ca571a-f668-4526-bcf7-dcff911a2bc5,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf915ff-a2be-4af0-a941-3491e133bdb1,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75259232-5f58-4e65-b427-0df168c9387b,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\VAHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e54f47a-bd59-44a8-9897-0c0667fb0ae5,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d74e35e-1cb8-4243-a4d4-48f4cff1a625,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b60547cd-6852-4779-b178-d5a2b4a2601e,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11526c4e-f095-48c3-a6e5-3228d10a6727,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf94ff38-de2a-4f68-b98d-3269ed0805f9,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db10068b-2067-4883-8940-6c278268c718,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f79252d3-e040-437f-b418-604b6a8fadb2,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33612ed6-fb32-4c5e-9e73-ea2debbb9394,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8e07f19-f6b4-4b5c-8dfa-7b8357d49bc0,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d843177-32ec-42cf-89cf-56c6daa1ece3,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5583ded-6860-412d-b261-727b1a368197,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c6ce75c-3b4d-4a3c-aac0-21676da0ffd7,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a071f248-69a3-4d71-8688-5631a263a71c,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\OVC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa54258a-9e45-4581-a42a-6c0130db5283,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e70e9e8-7327-47bc-9ff6-5144e3873d84,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c060ae97-811d-48ef-aecd-de547ab12e7b,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16e662c7-e738-4fd0-9bd9-1a8e4c078ea1,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4ae0134-460b-462a-b885-94ce12f786c7,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfb557c1-5c1e-416e-bcdb-9b5276d41a26,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a4fb9cb-3a05-4599-8ddf-5dc1271ef1fd,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00b9db0a-9f80-4213-b3e3-aa3312a0e00a,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd2646f2-486a-4903-b9f7-e6e0185cfb2d,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a6884bd-9be6-44a1-a83a-f59d8cd53ec4,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1101142c-afa7-4123-b51d-1f65ac2753a6,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6888 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3aabb526-66d3-484b-b5fd-bcf1ba108f52,"4/16/2021, 8:50:46.998 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15060 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,50e721d4-7f34-4f18-a036-537571360c2f,"4/16/2021, 8:50:46.998 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c19d42ae-9b1d-4eca-a5a6-b7a42696611a,"4/16/2021, 8:50:46.998 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13920 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8c9e173e-d72d-4499-a334-7d6574d2344d,"4/16/2021, 8:50:46.998 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a6a3c2c-5448-448e-8ed0-52734b9185df,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee17591f-572d-4687-a385-3ba6d1b18621,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63981633-7965-4c50-862e-366dd0395abd,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5547bfcc-561a-40a7-b141-d86e246b8c29,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5600619a-757f-4c1a-bbaf-e252e668079d,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf6206e-5ec4-4431-85ac-9528d5c3e9a5,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b3c700-24f7-45b5-b3a6-8c2eeb6c2a65,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,702dd68f-8023-4073-b7d5-665e852a8aad,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c922ed3-b4f2-444f-99a7-52968a07ed8d,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac2dffa0-9272-477e-9acc-ca6d25dd2958,"4/16/2021, 8:54:24.132 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,35b62368-f788-48b9-bd57-87543530486d,"4/16/2021, 8:54:24.132 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c0cc03e-7168-4718-ae39-7d56b68030a9,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6955df17-9061-4094-a96f-ea1e565524d4,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d946124-25a8-4f91-ba19-3e0a1979db9c,"4/16/2021, 8:54:24.132 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7448 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaf22316-f60d-49cb-be93-d13005803633,"4/16/2021, 8:54:24.132 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abfe08e4-4b21-4acb-bbbb-7696b0be6ec2,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d13f9eb-d337-4131-8537-b7bcdbb864c1,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0619a82-9a61-4468-b2d5-067c4214cafe,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28827660-fc93-4184-a59c-31311615ebcc,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b14aac75-aef8-4e4d-a94e-9cc861d8b4ad,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c168fc6-9938-41f4-a60a-3501c570c418,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2524136c-1d65-4b0f-b308-bacf1444e4b1,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,550ed4d2-bb34-4a4d-9e15-a88d6b532fbc,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67a0bf52-6127-4a48-b2a7-c33657f6481c,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bcbbd48-b4ca-4832-814e-9e447eb4dbd0,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,01e6aacf-7eb6-4fd8-b82a-5fd15ca25874,"4/16/2021, 8:50:51.607 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,177e32e7-099e-4244-ab77-fcada3361af7,"4/16/2021, 8:50:51.607 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9708 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,514cf629-385d-4ea6-b274-386e5a17bbf5,"4/16/2021, 8:50:51.607 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8120 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f4c498b9-8f8e-4b65-80a0-6237b6a6a1c8,"4/16/2021, 8:50:51.607 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,013d3654-57e5-4f43-aeef-98bb9b67f15f,"4/16/2021, 8:50:51.607 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1328 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,edc50dcf-76c1-4277-8f69-441e3d6319ff,"4/16/2021, 8:50:51.607 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e441526f-a763-48b5-bce3-3adf5b1906e4,"4/16/2021, 8:54:31.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d153c5e5-9c90-44e3-9189-b5942ebb4d2d,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4696 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1237\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 96 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\1237\pmfexe.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,da4d3ced-f1df-4803-a09e-ecee8acc4f7a,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,23470e52-8730-4f42-9d72-898cd2796c32,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6636 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,44a4d0c7-229e-4151-840e-9eee14a74c58,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6340 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bc6a9a47-9742-42fa-bd0b-0ac1137a9989,"4/16/2021, 8:54:31.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,738af37d-2464-4e89-ab54-f0cab167ba31,"4/16/2021, 8:54:31.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6d0d9246-b30e-4010-bfd0-2efc16c5ed8b,"4/16/2021, 8:54:31.743 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feec514a-cfbd-4f93-9705-9dfe43e738a4,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbad19c8-1f84-4a7d-93ff-470284ad31b4,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5126dc25-8222-4817-a3c9-2b248856096d,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0372dea0-2397-4f9c-8b96-b01dbf547b1a,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,609bbd79-07bc-4d09-a306-4060bb12052f,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2d91b28-fa6c-4e06-b5f1-e20cdc3e0e86,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f145685-1bec-4807-9045-b29210de5719,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e989cd0-30f2-47dc-81c8-0dd5230e5066,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,375efbe7-7b40-4123-a0e2-c3017ae7356f,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84dcd236-de79-4c02-ade4-e0298e33a566,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c920c5dd-c12f-4808-95af-187c774310e6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7cd59d8-eb94-4782-8814-324a5c81bb52,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d2846a6-450a-45ce-a668-5eea93f7d4b6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93eb48d1-daae-40a2-8797-499b040ebaab,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e17446e4-4ebd-4487-b5a4-d4af92c8a88a,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,814f0230-462b-4692-aca1-95200a539ece,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,725de9da-c1c7-450b-8e7e-56a361b7f4fe,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0e6e16-958c-4bb5-b528-48ecc4f664fa,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b722d0ac-d0d4-4fa0-97f2-6901008df3b6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f418fe-b8a6-46bb-9bef-cbd2bc9296c6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d43a65-4495-4dec-95ba-5864a49b3339,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e313c4fd-875e-47fb-83a4-cca6d13b1550,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,688895fd-4ad5-4950-9a93-16469648b4b4,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53d70ab4-e6c3-4ee3-866c-e9a124b1cc78,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d8ead8a-26b0-4d77-8afb-d15be46f911d,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeec1a15-8c89-42c4-aa40-f528edc43a4e,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d7f7675-d392-48ba-95c7-21aff7cdff1a,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5948133d-dca5-4b0a-83d2-64ac86195d3a,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba82f746-b843-4468-b8c0-4260d02cd701,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10bd0b3e-392e-4fde-9a42-fe6719a49c65,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4aacc4a1-da3b-4346-9b50-de7c71c56e21,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e61df01d-f663-4dec-a966-37ce8cec8bb4,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd992e4f-43bc-4864-8d2b-f7f4974a0136,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82ed520e-1923-4f94-b0e5-59bda4dceabe,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d30fd244-20b1-46a1-8728-111f7e373b3b,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,438915a3-7242-4858-9061-434d68002701,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfbd1776-c49c-4c6d-84cf-a560136ce8d1,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14aff640-1314-4cba-a1cb-ddd39399c247,"4/16/2021, 8:50:58.631 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ceb46ebb-45a9-4ccd-8f6c-6bd70974cbbb,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9c72066-278e-48e7-a765-ba06c2aac819,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e26c0de-f588-4ef9-aec8-1775d3ec4def,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a51cde4b-0e8d-420e-8673-507a33e74a0d,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,629b62a7-e7d3-46d8-b5b1-fb5063553c74,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bc9ccaa-48d2-4879-9fc8-14a4a7b94e58,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab36b4e4-bb7a-430f-83c4-f4f1be86f0f7,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7418f9bb-2ec4-478c-8d16-ebec3c928f6d,"4/16/2021, 8:57:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,48192bd3-f9d7-4795-8f9b-4382f705754c,"4/16/2021, 8:57:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,615efcdb-b27e-4e21-9515-2b54592a8699,"4/16/2021, 8:57:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ed90a956-51f8-47d5-beae-0baafb8f8442,"4/16/2021, 8:57:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,904a93f1-e152-4f5a-a232-c5758eacd862,"4/16/2021, 8:57:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f5bf4f75-cb00-41a0-8169-acab05604055,"4/16/2021, 8:57:52.738 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6a9b7bc-cfb9-4029-8d6e-64fddd8559d5,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f4f5526-7ca5-434e-92c4-8bd6a9ebf7bd,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9cbb855-6ce7-4497-bece-5f6c734b818c,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c52265-2cca-495b-af2e-e04ff619b9a6,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,022ffdd1-b692-4bf1-a69d-5d523ac92c37,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37235046-cb78-4adb-91d8-a70c804fa2ec,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf810e97-3470-4385-9f7c-8c559d1cec51,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe029e17-cd90-4b92-ab21-a4003c228327,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36564512-1867-4f0e-9dcd-7493ee39771c,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f17a402e-27a5-4f6d-8fb9-b4061bc4393d,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e556036-4a56-4383-b7e3-2861f05aeca2,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4a9a66b-d5ad-49bc-b94c-36482d087e00,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47121053-d4a8-4bcc-b23d-4cf626434f2b,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b96c700-7c13-4038-946e-043b601ca769,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5163061-a86f-4daa-aff4-8c13b9f195f9,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44cca718-94bc-4f6f-bdc1-6866bbdf4518,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a31de674-7217-4c7a-b059-cd2206c13e82,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28e74ad1-6d7d-4cbc-b6fd-959a046b191c,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccac9908-aecd-4f9e-8dea-37863be99039,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cc2a16c-1907-43f8-a098-c145dc2ab441,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a1a6f9c-d88b-4fe3-ab5d-d4f666ffdbe8,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3505059-671d-4680-9e4a-59c30396bd35,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6287301-4ec9-4c48-990a-eaa00bb47771,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,852396e4-7556-4cfd-b865-d53c074fa5fb,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ff473031-4d25-43d5-9e5c-24f666d78186,"4/16/2021, 8:51:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5a6326d2-dc32-467c-91a5-e2e35ee3a43c,"4/16/2021, 8:51:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ede15154-6420-4a94-905e-0a98537b9cb3,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14be9ff5-4075-413f-84f4-6482fb59431d,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f95f0276-0053-402a-99de-38986bba64aa,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,6add8886-a0c6-4780-81d3-bebf617071ef,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,75ef33e3-7f3b-40de-be8a-d908d4b3f3f1,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4065ac2-fafc-42f8-b466-5c1fa5818e2d,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0324431-2115-4c44-8ee8-8b25fe4ccc4d,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,83881587-2420-4a52-ad77-75a86c98f793,"4/16/2021, 8:51:03.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b839da1-7b1b-4ba7-a97c-2d5fb7b064a6,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df8222d0-3820-4cab-a668-baebb989f155,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad0346a1-5977-4940-bffc-09a8c65995e1,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e37d72b4-53b9-45c7-88f0-64d32d50c161,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de78f641-31bf-4f9f-ac22-6a924a788e07,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9fb1f1d-4648-4aa1-91df-b25268c439c8,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e0bade-4b92-42eb-ac42-f48b32191e0a,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abead315-fb0a-41b3-8927-813234902939,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6d3eb23-0489-43fe-b9ef-d8cf4134ead4,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3d7a6c5-68ac-4297-8f28-a82a7bfa45cd,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf832cd-4ff6-4f90-92f7-72208b177476,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f89f874-8342-4cde-9702-bc88b1a9a66c,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d216596-7066-4383-9029-9e54bee22f4f,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54bccdc2-a1ab-4915-b3a1-88945b5f348c,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748bf2b0-48b8-4d67-a8a1-2b99be3c05f2,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd9a3775-34ad-4602-bcbc-e9cc352a803b,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd61164d-1bd2-4cab-8af1-0eb5ae0c750e,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a213d86b-775f-44c9-9b09-812a37a7b5e7,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bced286-4113-4d33-8edc-65a019895171,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc04e4d-a756-4429-ac1b-d3475811a0e5,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0236dbd8-540d-4a99-8c96-572283d0777c,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b485993-f015-40d1-8479-0a23b544000a,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310e76c5-3597-4529-a66f-ad64c91954f6,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2619f334-3de1-47d0-a3ba-0edac21e75ae,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d2de534-075d-432a-8a76-a330b4bb0ef1,"4/16/2021, 9:06:09.865 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,65f88bd9-313d-4964-9d73-1423f1785be4,"4/16/2021, 9:06:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,15b8c300-845a-44ad-9378-f177389f4d5b,"4/16/2021, 9:06:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6604 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8336f50f-f1fa-469f-9e14-2bc1ffbdf164,"4/16/2021, 9:06:09.865 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d6696bd2-a438-4447-beda-8b031a7e2683,"4/16/2021, 9:06:09.865 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,419aaf2b-8c2e-49a6-a71f-75532a05d942,"4/16/2021, 8:57:52.053 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,84f2aa61-c27c-4e40-9720-ca09cb4c8d9b,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7ed8fe4-8ce4-4251-9bfe-4d5361104115,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,90e3e890-a3da-4ac8-a377-c817c8716002,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23ddadf5-36cb-409c-9b99-b49779dae587,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bc9cde9b-cf4d-49a2-8552-8835f93a8431,"4/16/2021, 8:57:52.053 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,176e301e-d4e7-4cec-ae07-cd51be36b1cc,"4/16/2021, 8:57:52.053 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5c4f93f0-d1d1-47d2-a34f-13dd574800be,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,021c7045-adb9-4bd7-89bb-c918714ad2bb,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b7d9317d-a3db-42ce-8064-a64b0df19fe5,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a1feb2cc-a9d6-4f6d-9276-904bd168bec0,"4/16/2021, 8:54:37.112 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,132a7c61-cd63-47fe-87e1-9212da428839,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1391f9f-6209-4122-848d-3a279c722f54,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9431f089-c125-43ec-96e6-26d274df69af,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3217b76a-8154-4250-bd45-1ca94c3222c0,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9ce34fd-47f2-4b78-80f0-a7c5626a815e,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129e84fb-eec6-4239-b030-63d784985b44,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\LJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b7f5656-b59c-4f2f-b2f7-d0a087924a02,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2a262a6-a27d-43d8-961c-a51d0e17a3dd,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1f2a141-76c9-4064-b9ff-6cb0e53a1227,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca25d97e-d07c-414f-8bf6-b97e00786336,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f576ff3-a840-445b-9b52-b9f9e08d8330,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,678f5e82-3b1b-4883-b27c-d57356a36b6e,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff9dcf54-5297-4455-926f-46c7f01b87e9,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,289e15d2-4041-4997-b436-c5e8f0ac942b,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2c5117f-14f8-4c6c-95c0-79bfb14d9a53,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5814cd2c-aa2d-497b-a0f1-f428a6f78019,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b167c9-cfe9-405c-ab7d-b82e54a118b8,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5eeadef-9067-4e4c-b60a-5194461fdf3b,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad8fed2-dc1e-42bb-8a7b-1a6486b3ce81,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,066295d7-0fe7-4b06-a315-b248d35aad67,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c57c4b2-154d-4f1a-b9c3-3a637dccccf9,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c81b5a73-5ea5-462d-84c2-9239e643aa77,"4/16/2021, 8:51:03.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8bb551eb-bc7f-49f8-9093-79facd0b5ebf,"4/16/2021, 8:51:03.735 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2836 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,26353355-ddbc-4a92-ba54-41aed58d4421,"4/16/2021, 8:51:09.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6020 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ba394b73-0b92-4f63-8d7a-848b75fe9e56,"4/16/2021, 8:51:09.856 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1abfdab9-649e-4fae-98c0-d4dc07634c1b,"4/16/2021, 8:51:09.856 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fe218a77-fb7f-44ae-8795-3f0aae4b679e,"4/16/2021, 8:51:09.856 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dde1ce42-66c4-4e14-9805-db936b936e00,"4/16/2021, 8:51:09.856 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f10607f2-0b7e-4344-a22e-c51feb59db73,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,994dedcd-a4a0-40e0-9535-d6c509746ed2,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec120a3-d3b6-4216-8c58-bea687b55364,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,615fed77-aa95-49cd-b3e5-f6e41141e002,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40dc8ff1-d0d8-4adf-80fe-bf21bfd4c9a8,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55554c6b-52e2-4511-ae2c-d7efb1c8aa93,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c70989bf-ab27-4b61-8f35-0305b87c2f5a,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c914122a-7bef-4452-b5b4-fd5f3ddb62b8,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aff174d-5fcb-457e-9644-500149e86ab3,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4fd7897-8a3c-4e7b-9b24-c69ef6cb9811,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0d930a4-563a-4e7c-9cbc-cf86bfc9627e,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd30a460-80fb-4ed8-b3e1-1007c43706e3,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,134890af-b133-4d40-ac06-9f5dcdb58cf7,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a584a2e6-725b-431c-b3fb-1757b61d52c7,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec16816-1309-4054-948c-af06cd8a1396,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22ab9683-2179-4fad-b30f-c4233d6e0097,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a284f40a-6256-41a2-aa6a-ba04d9cc9281,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c24c545-ab53-4c0f-9f48-6c23805f5179,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce560ff8-78ef-44f1-a67a-f76f1a0a15c2,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af5e40e2-8411-4a85-a911-0824df36441d,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36a5f61c-6f9a-4ce7-9913-02b5013dc4b1,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aca55c7-8476-4fe5-aa9c-798b146656fa,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e29972d-cf7b-4c64-bc1c-562c6fae18ff,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1045ea7b-98db-434a-b28f-47cf5e496374,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87fcc99-17ac-4270-ab93-002daa15ea89,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50793941-6246-4652-9b31-8ce61884d451,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eead7374-ebf0-430d-8974-6ac3e8ee9ad0,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb30549a-c81c-4b04-9849-b36dcaf9cdc6,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d7dd45c-f0c4-4c2d-8f61-7278967a7d4a,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d43f313-ef01-451a-90bc-c03ceba606b2,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972379f8-9bc5-453b-8edf-c714f2d41954,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b74821b-b7db-4de4-9ef6-d933806df9de,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ea363d-0b07-4c8e-a1e9-09d649eef277,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8a425ad-822d-42c5-a986-b200fa1f5092,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b67e8e4-680d-4cd6-bf38-e654d8b1ad1c,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac6a7ec1-45a2-4cff-b8d4-03ec8edc91f8,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9371cb29-76fc-4c43-90b1-d0e7bccb31af,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b328d7c4-ad0d-452e-aa69-909fbae0ba6b,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b42cefa7-929b-4f99-9760-98ee35cb27ae,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b720caac-f664-43f3-9031-2ac92005edf0,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c631fe38-f51f-4a80-a502-a8e5e27b3b8d,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ee790ab-0cbf-4961-b4e4-cc3041b80ffb,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4da7b209-df1e-4c38-9a02-393fa581741d,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0094bc15-eab6-4e2e-aba2-8fc722bb5aa0,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f4a8205-3107-49a7-a6e3-0babbe626b85,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb629132-287e-4e74-a7a2-24d6d9c43186,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c8cec0d-0868-4fe4-b510-21789e5cb07b,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d2d4ec6-6c35-4557-a8be-f85b1b0c5a10,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a7ee342-12f1-49c1-895f-e7bcdc29df05,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56e82d9-27fa-4e97-a22c-60c2635feb98,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13497cbb-5439-467f-9ba6-a4ca1c4c36dd,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7b509b8-9bfd-44e9-b200-58ea6dd3d469,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b5cfd85d-9fd0-456e-9a48-202b9bf4a4ea,"4/16/2021, 8:51:26.558 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,69be8a52-07c1-4729-872d-7e6c60c1ad95,"4/16/2021, 8:51:26.558 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8128 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f425da9b-0d6a-4c35-a030-d18f7b45a25e,"4/16/2021, 8:51:26.558 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8796 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7a2e3612-49b0-4134-af2e-b039e3533fe8,"4/16/2021, 8:51:26.558 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3348 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb42f1cc-93ab-4e3e-8724-8a6932d4e7f9,"4/16/2021, 8:51:26.558 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,53b03c52-5be8-4eda-8ac3-a9caa5c8661a,"4/16/2021, 8:51:26.558 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0b38db54-b0fc-4db1-9876-5fcb3ef2014a,"4/16/2021, 8:51:26.558 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,95e91855-43f5-4595-8e8d-dd992c5769ce,"4/16/2021, 8:54:44.858 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e11bc5b2-2c98-430b-8d4f-ad4b347e7804,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d269c391-3ba2-4517-8361-4ac34e9b43be,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dc3d228-cde6-4ac9-8d96-37aa3d684998,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,930261e7-6040-47c8-864b-ddc80fc290c5,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ee7742d-0205-47c3-817d-6cf44412c4d8,"4/16/2021, 9:06:14.669 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ceab502e-2e48-4ff0-8577-a40b47dfbd6d,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1bdf936-d7d2-4345-98a2-aff85fa5c1e9,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efbb3572-84b6-4bf1-ad3c-fa705c62e2d8,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c4b04b5-78c5-4580-8316-841ba9e701e9,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97af48ae-73ff-42bb-8200-f67d07ea9be9,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e49034-bf57-41ab-9701-3c7bc465ef13,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96031a66-b2df-45f2-adc5-85eb519bca27,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8830295-fd3e-46c6-b0b9-598dbd6f855c,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a801f032-2514-48e5-82bd-eb9e6edaa9c3,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ce72122-e108-4635-9969-7e015a206f92,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2bf3ef2-85a0-49ca-97e3-c46758709a39,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,004ef133-a91c-473b-873c-6180a2f05d25,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,703ff4ab-4842-487e-99ef-385f0f62d269,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29c6e85a-f303-4915-b6bb-e3fccfd1c1c6,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,460d3275-f3ac-4c9a-815c-f3b9d7e7e357,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5286c35a-103b-4b10-9b07-13c882909a0f,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,181b8da5-be56-4b20-a9f6-1fb64abf7ab3,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a871838d-4c88-4caa-8521-6ac5a8b96a3e,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f18c0c30-2f04-40e3-ae71-d58fe941f86d,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,177c48b4-1fd9-48b1-8c30-350ccd81c490,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d27517-2777-4546-bc1a-3f5ae4923b1d,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a95665-0c61-424e-b7b4-944559cf2297,"4/16/2021, 8:51:27.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,108a9ef5-fa8d-4da1-935f-143e15d71b65,"4/16/2021, 8:51:27.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6368 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d44c69c-af69-48b4-9f24-3ed49e0b4432,"4/16/2021, 8:51:27.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2eb937d-c17a-4476-bb56-9efab3eb0bb6,"4/16/2021, 8:51:27.108 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a9c1b4f-27ad-4696-a05b-be9932821271,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97c4584f-ad5e-4f23-82c5-24847c8aca37,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdd0b1ed-94aa-409e-bcb7-25c897dc8541,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b5195c2-2afd-47b4-9d7b-1c78a21725c7,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,473fb93d-5492-4a9c-9a43-60b76faae9fb,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97d9b575-8001-435a-9353-eecdbb30b622,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37c16e99-9910-4b00-9d41-742f59acccac,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\THSM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c040545b-8e88-4238-bab5-918a41eb55e1,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a045f863-5bd9-4a25-b259-41100d38fa38,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eed33eeb-d922-4afa-9d25-672e3291bb92,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf36eec6-ba36-4377-9ff9-e85787eccf04,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8b27385-3d8a-4275-b1db-f72394654606,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f0915a-fc04-4fbe-a682-6881d7b97fe6,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4434b98c-6916-4070-bac6-08aa2165b1f6,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46b06ec2-77ae-41ce-9262-c4056528a8ce,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e540fe19-3aff-4bd3-8acb-335edefe2a2d,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47b14d93-8402-4764-a8a5-45c7b7859c29,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a800b971-e674-442c-b418-d9e8cb0e1ad2,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df5e691a-3448-4b94-8508-a3039e22d680,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7336 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ed34d709-0699-43f9-b074-3542c025ef7f,"4/16/2021, 8:57:56.993 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4184 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d6bee65d-77c8-4cf6-9b6c-8893bec34451,"4/16/2021, 8:57:56.993 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,701c3745-1c0b-497f-8949-ad16c23268a2,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e536ef2c-90a7-4ade-8058-0997692192ba,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dab9f67-6ca8-4bec-8c9b-2bb08920931e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9674b729-c543-4651-8c5a-64354669ea83,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b82cda6-9ceb-4b1d-b27c-0a771e0e8585,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0b98c0-6784-4ae0-9b18-b1e725471f76,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8f665f4-1580-456b-8c56-f392ea00d10e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26f9631d-d5c4-473c-8818-2b8f860e901e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10771066-17af-4819-a025-fc7e943a3de9,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aae05ceb-b19c-416c-bf1c-3372312133d9,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d95775a-64eb-4740-a47b-2149a707a615,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe949b52-93c4-44c2-a3cc-74bba8d0cdd6,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12b82ac7-eaef-461c-ac83-efd731efb408,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e91cb44-aa92-4fb0-a411-81144ef62398,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e6a8b39-3adb-4570-bb5b-7b174f3b2b4e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8368dfef-5e4e-4508-a178-77475a554751,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a98c299-1fa1-4c5a-9c58-5ff840b13651,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56a18bb0-fc09-4932-9638-4e482e8df018,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eae01a0-6728-404e-b894-baaca66b1ff1,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52f01260-4a3d-40e4-91eb-e1aa466f202e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b095d0c-c186-4041-bae2-6495eaf3d651,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04c8e8c0-55d4-40ee-9ec4-15ea3660e9b8,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02e3f64d-e528-4ace-9c7a-5548394f3bd6,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a68b544f-119c-4aee-9626-8422d2fb5efb,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c498c0f7-3c5c-4424-ae30-3d814ea25bc0,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f39e10a0-777b-4730-8e6d-bc12be585eb6,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e90c4f1-e996-4b83-b70c-792b2103771e,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0795879a-eb45-4fad-8048-608a914c8807,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,121fb4c4-df01-4313-b8ff-0b1e24421f44,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,84f38cf2-6457-4444-803c-4a878cf10518,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2363d16c-d7ac-4b29-be43-13a9df2f687a,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cae370f0-3317-4ed6-b0f1-e6d3ca2c9825,"4/16/2021, 8:54:48.414 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d844d7cf-162c-4b95-b6e7-6aab48a0ab4d,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,176d2021-0047-4650-9049-503bf9b7859e,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 5800 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9682aaa4-5fd6-430c-832a-ad6d30ca22c9,"4/16/2021, 8:54:48.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,33017c48-7b95-49c5-8154-b82dbdec31d8,"4/16/2021, 8:54:48.414 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2285ee9f-a341-4f10-a8ab-4cd90e85299d,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4de6dcf6-97ad-4224-a615-d65fbc9d6a37,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,11fe8982-615b-410e-bf50-e7a0b4b28fd6,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e99d0acd-b83b-4626-9ebb-66476628d93e,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f8a869c-4cf2-4970-b61c-a0c3af204004,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3256c8bf-6716-4ec5-b2f1-ec4f1a993406,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,279db4fc-e184-424d-9308-985d0b0778db,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6c2f9e-4cc2-452f-8807-c9b8ec74873c,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fffe5b7-1846-44ab-b339-6858733dacd5,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8032f93d-ef71-465a-b6a5-8e8d4ed678d6,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4afc2ae-7f75-4076-890f-82a749877a1d,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c597826-d624-4623-a663-6e65241d906a,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a9605399-6163-4185-9ba7-bc20116882e9,"4/16/2021, 8:51:36.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a58955e2-c1fc-40b9-bcbb-c362cf5b9de3,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ea789f3-8247-4f47-8f82-6ed6b7b233cc,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f37874f2-52ca-411d-b683-294d4b8af22f,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d5f202-ae0d-4c99-8c23-34542fbd0aab,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ef4a68f-ce69-4f92-88c8-880a0b31c19a,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a92c080-bbb3-4045-9886-ba7c4b0faf0f,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\USER1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80ab8c4d-6086-4fec-9e0c-56c637ae7bf0,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2e1e78b-9619-4a7a-8119-da693337d52d,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,648bfe87-e07f-4848-b0b1-f61b04c82690,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a9770c9-0280-4341-838f-98204659dfc1,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21dc6c1-53e8-4664-800c-accea870b59b,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2066e422-7a55-4c10-bb96-73a8941952bf,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cfaeb4c-fff4-4d64-b8bb-30fb9147efac,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7db455c-73ad-43c9-bb4b-75d1db8f42fd,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\REMOTE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8debb0b-9afd-4fff-9655-3eaca94b339c,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,980dee52-a298-4a83-82b7-5c514bc9ef7e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d5191dc-bddf-463c-8246-74f1a5e35add,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c9a116b-ccdc-44e5-8bc5-833ed2da24c1,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85b5c78f-15bf-4ae3-a9f1-118599063bdd,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0919ad28-51b8-4f1d-a62b-85598c93a196,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0eb01a14-713c-416f-b3c7-e3edd5e4dcc6,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dffc8018-e32a-42be-99fe-c18913e26772,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9f47137-e4da-46bc-9fea-fdff4e55d8ec,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6262ad31-cae7-4ca1-b1c4-7e760d1b2afa,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a539de1-e1ae-4a16-9714-1fedd7dee020,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8871d743-05fc-48cc-bfe0-60b05a7c5e86,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a2d372d-4805-427d-a368-f7809e3a4163,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45fc31f1-f067-4cc0-ae33-3ec0490a7545,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b1879f7-3460-4591-8f3f-3ec70eeb3da0,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b663010d-5176-4779-8c14-116118be4dd6,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1c8f34-6528-477e-9392-c79fe86e9586,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0805a5cc-d0fa-413d-bdfc-83292cd82334,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcf66bec-aee4-4195-85c2-ebd8d94d99f6,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\UJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddc6a02-ec61-4072-8db3-9fc85ad0977e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a0c1ec-eca3-4ac4-b05e-e0379837a65e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3927057f-bc94-4aba-90d8-12b5654c1f2a,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae3a09a-c5a3-4ad2-a856-c5e629c1971c,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77a67df5-9d86-4e85-bc28-d42ba46ce92e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e66d9806-a8d1-471c-942c-19c9cf74ec15,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a2b596-da91-4d01-b2dd-6b965ee253c5,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48b1099e-6c6e-4775-984c-a469fc9166ae,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca648ff6-533c-49c1-9252-a038b212ace1,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a46f70c7-2672-4e35-8f72-45be4cbfbacc,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1306e3b5-2fc9-4fd0-9f7e-ee75c4b60357,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2175de99-2ebc-4ee0-835f-dc5245db7e66,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,599c861b-37e7-4895-b0cc-ea72ab57cc06,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70195c35-0fdf-46bb-9e78-935755d6e8da,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a0b495d-6ad0-4e07-b417-0d9926cfee6e,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f396ae-9cf1-41a6-8945-29a0980e565e,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63786155-4795-40f2-8f98-feddf5d3de50,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8019503-25c9-45d4-90e6-7cc777e3ae7b,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4b359fd-1ddd-45bf-ba07-631baa2f7774,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8edccc5a-ff45-4404-b2a4-80d719e0200b,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e719214-6127-40a0-95e7-50aa92f3827a,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da0d2f99-15b6-4f71-a284-eb1d34468286,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fe07097-0c3a-428e-86e5-9d1700872f42,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b0b6d9-0359-49a7-955d-f04e2259f8b3,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77b868ba-4114-43f6-9007-d721802214a0,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8397b89-ef9e-4fd3-b075-1d47ff2ce963,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7b2a751-eaf5-4fe7-99af-1d64b7bf7043,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66a92fae-4345-46ba-a3c5-db163fc79a1c,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f51b517d-7b33-4260-a35f-2100cc616cdb,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51243692-b1bc-43ca-97b7-13ab2eff870c,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b61995a8-7b3f-436c-86bf-5c88cc03d70d,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faadbe4f-c52a-4968-b276-5d0ac67efd9d,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f0d255e-9a92-476a-ab49-596993f1b0c1,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98d53c36-6dc2-4055-a3a1-0c5e56937e14,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5eeae44-d9fb-4764-9b40-3b79b54450a5,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c95d1719-c8ef-46ce-896e-6d54230d7011,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca1b13b3-959a-437e-93be-7f625122202a,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edeae433-f635-4a07-885d-f522734aa543,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42279f18-c325-4272-a2b4-cb22c69cd503,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e7a9fe-e896-4871-a33c-8275a17b37f8,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db8f772-387f-4264-9161-33a4c70a16d1,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6070c2de-3b01-4071-a3e3-87c40661f97a,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0a49df-fb5e-46f5-bc26-173d73503b19,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89bf9aa9-e600-455b-a225-20dedac1ed66,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae929761-9f4e-4fa0-8155-ca3ce4801cc2,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bd3104f-c5f2-4682-ad57-38130896b203,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\COPIER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,926e6b89-95fc-458a-bc3d-7af0e8293ae6,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0204e9f-467f-4eab-a02d-33e2de3e8716,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f6bc504-d2e3-4b24-968e-eccbf7a8aa5a,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16d6cde5-7d40-434a-85ff-b7036879a48c,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b9acf62-a10a-4835-9e42-99eb7f969a37,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,573de0db-5de3-42a6-95d7-9e855963eada,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60c41b29-63b1-41a0-bff7-31053fdc8739,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5083a887-015f-4084-92e3-1f02ea0ef97e,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6799b668-dd1d-4d18-8fd8-67a0b8859274,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2915d3a1-d2cc-4625-9af9-973e5f53118e,"4/16/2021, 8:51:49.108 AM",,,,,,, +\SOFSERVERUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08635f3f-ef37-4949-84e5-430bfb963aed,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72b9be25-7ffa-4c87-b9cc-31c00136c265,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5509f76-44d5-491d-90ca-e642d03ba0b7,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b96a9342-e810-4f25-9333-28af3b10796d,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,262af11c-14f9-4c91-b64b-b588b61048fb,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\MEXAL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e07274d-ba19-44b4-a94e-1b050061375f,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36e1a49a-411b-46b4-afa3-827f8ad7a713,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2061872-3723-44ed-8d7c-6dd2da692b1b,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31470ca7-fbb5-4204-b000-c7861899d9b5,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b02a210a-e450-4f1b-ac58-0c7307521f0c,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bae57707-4928-42ae-80e3-44a9067da1b7,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65d0698f-d960-4e3b-999f-b32326cba202,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80b830de-a311-4c7a-b650-c172ab300ff7,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2528515d-5058-44bf-9cd9-db8c99fc995f,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9e0f6b6-3c84-4b72-87f7-3fbe47674c07,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,387319d4-cbd4-49f3-9a89-70cd6dee1048,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18487f21-3ab1-4bef-99e8-af0ba15d4dbd,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec41bf7-28a0-41cf-9d4f-6f93ecc2f86d,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd822d85-a0c1-4d03-b0ba-45ba83a64777,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4283a29f-231a-44e3-b83f-f4d1ef2ceb10,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e72a6cd-240c-4d71-a37d-3693e62bf59d,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0e250f-f515-4174-9845-dd0f66311aa8,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03898278-1ea2-4946-89a8-f16a93509ee5,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,279e0404-b170-4af8-b81c-e89a3f99be5a,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfba5762-b2f8-4a9d-97b7-af3b182f8b50,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aecc09a-c84b-42a6-a380-c0e45d6e6c09,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6689053a-734c-4052-8b75-8ff6e12ab36d,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d432e128-b0da-4d36-82ee-b14e64502075,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33d33685-9ac5-4356-900e-8ca0a4b785cb,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e416084-134c-4037-841b-6da925371987,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52e72fa0-8a09-4ee1-a400-d3607637bee6,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff49b2a0-a7e8-4a12-8dae-23fa766d6d21,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,605923c4-f78e-47d5-bdaa-dbaec30dc1f2,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bd61b3e-a90e-402a-9ff4-d6227390dfc1,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1afee850-eece-4f4c-9354-c36218f689b7,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c11b6ead-328d-45cf-b595-46258427b822,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ce5e1cf-efac-4913-a8e6-6feb62c9cc86,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1c05638-8a5a-4af0-b686-005fb6af13fa,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1790c9e7-63b3-4c88-978c-44605ae0a31c,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b89fa60-358c-41ef-9723-618f1e2e0f94,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,163d138d-9afb-408b-9c86-506b00fa8e65,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3583652-e610-45b2-898a-005219b3bd2f,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a07724ee-6a45-4466-9521-00859e1d0901,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5bab7e69-713f-4da9-9734-d2d398f10723,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e10c60d-319b-4126-9821-805af58750b6,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55fd30c5-6418-4264-b65a-6a4a187fdffc,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a388166-c2a2-4f3c-b60c-de1de167f7d0,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03e137a2-5789-4710-a7bb-f8b33d509f48,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b88ced5-ad36-4cb4-bc31-722ad7b7db34,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7464 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1feaa80-9905-4b3d-8223-8eeb9d1a6103,"4/16/2021, 8:51:54.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7011e7b0-1414-4cb3-879c-a154b43e800e,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d74af75-f76e-4877-8d18-00c2753ed7f6,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cd4bb86-faa7-442b-a506-944ec90b0152,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f655e429-1572-47b4-8248-d939e8d87af3,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84dbccda-1011-4dc0-b7ae-18ca18127123,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4870035-16ef-4eff-a284-0a37304cf3f1,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,872b815a-6a4b-406e-962b-e588c05af8b5,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6015ae4-b23c-45cf-a3d9-ae7e8848eeae,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b1b0c9a-59de-4a93-8434-25591db3f7a3,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e195de8b-36af-40e4-837f-2fe09bf001f1,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff6dcf04-10b0-4ec4-abd2-30fd5845a960,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,969475de-e083-4c91-96b1-ac006536abe9,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b3c88a-e158-4410-97f5-0d454b775a3a,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,428824de-120b-4e06-a537-4616d4dc11b9,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f30c779-e78d-4422-a7a4-7b664d42d935,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa98daf-2b97-4052-a64a-a4e366c11246,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32458dd2-6332-4986-b334-ffcd9be05e8c,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb7372bd-06bb-42bd-b4d0-888823957273,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b49b6e49-146e-4a41-a4b5-c29f41b0d96a,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2b55e6f-a1a9-4cd9-a071-b2f417c0812a,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde78e6a-a183-4ae6-bbd9-302a4c139a16,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cceab1ed-a6ec-4593-848b-73807be6b414,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df7bad4-20c9-4074-a323-56dae8bea6f1,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6536 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d359132d-f858-4018-878b-b9018e526c66,"4/16/2021, 8:51:57.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cb96f1e9-f209-45a6-b8f8-b47077d692a8,"4/16/2021, 8:51:57.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 736 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f0a68d3f-76de-4bbf-9941-ace31c12ab89,"4/16/2021, 8:51:57.797 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce90bdd1-c52b-47f9-9566-e82828bddacc,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62bb8945-6cb8-463d-b3a8-7188331bddc9,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d37fc26-46bc-4663-b371-ee3bc1df2630,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d98c7ef0-34fc-4bf1-80ed-c784f4d767d2,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afb3b644-0e3c-4b3b-bbae-0a09fde711c1,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b013fe0f-5a7a-4777-a329-b6e75f2147cb,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67db3eff-201a-47b0-8203-3609fe6543f9,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,712c691d-d9e8-4eff-99e4-1ca3e2a95b3d,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0f137d-4cc9-46b9-93d8-949ab078a751,"4/16/2021, 9:06:23.120 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd51090c-c37b-4cec-973c-11a81d8938a8,"4/16/2021, 9:06:23.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac212cbc-55ae-463e-9407-fd0443062f35,"4/16/2021, 9:06:23.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6872 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9d1fee7-a5b6-4f9c-89bc-eb581c7a408a,"4/16/2021, 9:06:23.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f737a26c-0942-4bf8-9699-ebf609d59c6f,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e38b5eef-fcb7-4dce-87c4-8a44ab794db7,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bbeb272-417e-4e57-838f-c6a35e3a32ed,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9d4722-814f-4091-a6f6-6244a4c2949f,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a952fbec-d216-4bfd-9582-b57e209dcad1,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e3fecb7-9f3f-452a-9de9-025e485d5a0b,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7dd8360-847e-4d5d-82ec-fb61371cdf39,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef8c39ce-899b-4041-86c9-a42f6bbb7cfb,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,875585aa-8129-42fe-bc5a-4caa2aa63666,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88219011-6768-45f2-9b0e-d2d6d69cc822,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3e40d4f-b818-4b8c-8778-89f54a78ddc0,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ca9856f-f485-4fdb-9247-c326b013a472,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f294a539-70a6-4854-afa7-ed7ec6e9f62c,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d8b29d-1c3c-428c-be70-f42f0aa7e454,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,740156dd-3e5e-4895-9d1b-844bb84f663f,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95fb8cdb-d178-44ec-a826-63c1f3f71fd8,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ac0beb6-5f9d-487e-8e33-f2a58eb5191a,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1336b3c0-4579-4072-b5d1-74f8918a1a65,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94296f4f-ac1f-421a-844e-93fb9c8d54f3,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4bc0408-cc73-460c-b6b9-71b1d25d5684,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e49ef7fe-311a-4a3c-bd24-77e43524deac,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c35486ad-1ac1-4f5a-83f1-dde143269f4a,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddfeec54-4f03-4fc9-8e56-40e3085d0261,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a09ebc23-ba60-47bf-98dc-207636d34f82,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1c220cb-519d-4ac8-8e57-8d3ace697bd4,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15893c5a-bd2b-4914-82ef-ec1fafecdd0d,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a22bf74-ab6f-40c3-875a-903919e83c80,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f580b659-5396-41f3-a2ac-407b288da3ba,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5108aca-5325-444e-9d5d-265db0ef35e4,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf852e1-662c-4f61-9b9f-29ca8793d323,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,794bbef3-659f-409a-9b10-987fa96fa3a9,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64642a76-eb06-4be0-b5d4-6dfb81e913b0,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca77df7d-4b71-4d70-9a36-2dfae4b7616b,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0b780e3-d8a5-45b6-a8be-bb0d3af26fb7,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb8a23ed-dc12-4c97-a392-b2df21f70dcd,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d2ffc84-e511-4b60-b107-4f730c68515b,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137b60b6-fa17-426b-a85c-65ded2fc2e6b,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fdd187e-3a08-44e5-89f5-cda74819f411,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0671e2eb-eeb0-412d-b183-e56bb5ec8bd6,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a183f090-7348-4012-b46e-271e3b3b8146,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cff0a7d-ab3f-4278-8eb2-c71388aa0880,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8994bc9-f964-44d8-bee5-9cb154924281,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fefa3eb-5fc6-46fa-85de-1c5d220d6909,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dbf0698-81b1-479f-a046-5847c6730af0,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2556c73b-4e43-4d30-9c35-59eedb152f47,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,452e3c71-a5f6-44d3-a9fb-4104220442f4,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eeabd73-6775-4c3d-ab82-08a659e1a0f0,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab8ec5eb-c9f1-4d0b-a358-81d40bcea237,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43b31953-ee8b-4ce1-8989-ed814fa2887f,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a679053f-d68e-40a6-9038-9edf887449c6,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,338f5843-3aef-4bf2-b0dd-fbc9544edd89,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8aaf1f6-daf6-4cf8-81cf-5274cb1c319d,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26a6bc1d-78ff-4b65-94f2-a175e163e051,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10c9d8a0-0f0e-40fe-96da-97a026c018e3,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cbb312-245c-44ec-be6f-310a793119d7,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3552ec9a-76d3-4b76-8a18-19c91ee7a828,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb206eb0-4678-4f0d-b041-b54311c6d650,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18912490-b42e-4667-ae31-ba55cd5ef974,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64c445c-82af-462a-97f9-5d8cc656ce69,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e75a7c0d-bec7-43bb-804f-9fc68bb62c53,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a02836a3-9aed-4893-8792-7bab6ad9cc03,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ce4e0d7-4d80-49da-a43e-3a45911d47c3,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6e398183-d45d-4c15-a13d-1f837d60441c,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6f352712-9fe7-4b62-8875-5c8f76b03916,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1b784609-7daf-436a-be4c-70f50666dee3,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fcad2d86-7bd9-4480-9887-6a2609e0b880,"4/16/2021, 8:52:08.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,56565e19-62af-4039-bc3c-dc80de0cddeb,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dd944841-4093-4085-9b74-d23fd844df6e,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,229047bb-5b80-4905-a395-c49a81214464,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,da97331b-4556-477c-979c-24a28a2da222,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4911ca7a-2214-4e14-a61f-a1f4397e173a,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,36a46dbd-fb36-4d73-8d3f-2af3cb502617,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e7f7a83c-2273-49f9-8529-028580118cee,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,431d9002-bbfa-4b98-a879-8bd0e26aca42,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80d843dc-eb63-4fe1-a474-2e25dfc2c492,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e602dec5-6d9d-461e-80df-886408e7198f,"4/16/2021, 8:52:08.050 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0683ecaa-591e-4864-b487-80469591514c,"4/16/2021, 8:52:09.856 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,acaaaabf-ef41-4147-88d4-5a28fabccb68,"4/16/2021, 8:52:09.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6704 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b4a5d347-0dee-4971-906b-f651709bf441,"4/16/2021, 8:52:09.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2752 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0b46a72b-1101-44b7-9376-a6ded5a70c79,"4/16/2021, 8:52:09.856 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3893774b-0b34-4d19-b6ea-4efe95339695,"4/16/2021, 8:52:09.856 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2b8be4b-afdd-4706-8ee7-b30a94030fb7,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9096dde7-15e4-4f01-9298-ada099487f96,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c62b5f6-1258-42d8-8896-9d291167eecd,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de9d4e0d-34b6-44de-b460-a8174f9bc7b7,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9023071-3d3e-4186-ae25-3cc9c3cbc054,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8d37fd9-78d2-4389-8381-7c1533c66ebe,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48f5c673-44ba-472a-90eb-ab42960f5f9a,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94dd2f33-f618-4e45-8441-0fea8751939c,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efa59576-86cf-49b3-9e0a-f98d6250db33,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3148ce92-5e4c-4103-a193-4de7cbbcc6ca,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b2373a5-b7ad-41f6-a432-10ffeb7c1cd4,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db5dfe57-4d73-4a8a-a749-5917b4a15ca1,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65a50ad9-0174-48e0-96b3-af3f0a0a051d,"4/16/2021, 8:52:26.653 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33bc72f8-4b32-4eb0-a693-2abc618e836f,"4/16/2021, 8:52:26.653 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8af9caf1-552a-480e-82c2-baba0e366136,"4/16/2021, 8:52:26.653 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7beba18f-af3d-481b-a040-3bdaeacaded5,"4/16/2021, 8:52:26.653 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37849d86-f97b-4a26-9f31-3a91336f6f5d,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18fb2b90-5ce2-430a-b315-52cdc40fef30,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30c7ef9e-ba3f-4026-81a4-9659c686bc7d,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4053bbe1-b507-4faf-a0cb-d5df3e7b536f,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdd01c6-8c75-4472-b1ab-252de6c5af94,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6589b6e-e5c6-49e4-9d02-ff9a0cb6c019,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44fdaf21-1e36-400f-85d3-6f95efc2c07c,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2aea034-657f-42bc-aba9-b1fb6df0d979,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81014a64-e778-4424-acea-ea98b627ff1c,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e233eef8-c310-4f5a-aa39-7d5485f11017,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6663d59-5ba5-4e4a-bcdc-f4e8dabe64c1,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0efcc13-d09b-405d-be1f-7a0ab451fcfa,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaa3a3d8-017b-4d6b-a60b-b7216649c4f7,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47e1631a-cd12-4f39-9e2e-5cd30c838bbf,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,314a3e15-28c8-4d1a-a00f-64a104168fbf,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0558027a-8505-4225-b1cc-a89c7a727fcf,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b29be0-6370-4d0d-b4de-cf38d20869e9,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90da2372-b05f-4e96-adac-41b107053d5e,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cb6fccb-8ad7-476f-8ef7-6d6b75f33acb,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a909ab0d-9aa8-4ec4-af4b-8fd9b1cf149c,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a3fe666-680c-4016-88e4-d195f12a1cd3,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b76848-02b6-4615-9a9c-6d6e6c225a14,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9b5cb4-163a-4cee-9011-c8b67928a350,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31edbe48-695f-4282-85a2-b26b53c696a2,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e156f963-553c-4746-a75a-c7f86e9d18c7,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2a0047e-36de-498d-907f-093e7531b094,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f67ef75-d8ca-46ba-84e8-ee2dca37cbc2,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,664895b0-96ee-467c-92b2-11aee3f0c689,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2372a61-a719-41d8-a359-af1316d66e3a,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4955d1ce-3180-46ec-9545-5a79b430a5ee,"4/16/2021, 8:55:04.846 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,eb69505d-d169-47c6-986f-c5814744b973,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f9a53b8f-2e6a-448a-991b-a6c573c408c7,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5972 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cf89e4ec-0d57-4861-9dbc-448bc0c33436,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4980 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + A68F28B7A6B48B6CD6CAB57C5C6411BCF3A6186B4FC6823F03D9F2A8828CFD02 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.18362.1016 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,43d24e17-5912-4e12-9f0c-c6842c989e03,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5328 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.18362.1497_NONE_16F5D4B32A2EF7C6\TIWORKER.EXE + 32 + BC24C913F9E2EED11FE1DD49061E0D4286CF68A1A36EC6CE4CF89FA5002E105D + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.18362.1497 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1497_none_16f5d4b32a2ef7c6\TiWorker.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1306457b-e54f-49f7-bce0-9877b29a73a0,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f995acd2-e6c4-4e53-9ab7-534da04c2180,"4/16/2021, 8:55:04.846 AM",,,,,Negotiate,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,296519b7-bfca-4bfa-9e09-b5f51b941e4b,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8c827918-6149-46bd-a5a9-ec084ac25479,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,11798fa5-0c40-41bb-b769-c014ce556906,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e8d45e84-4c42-4670-9b5b-a414f355e00b,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 5900 + 23 + %SYSTEM32%\GPUPDATE.EXE + 32 + 4E2D85458A3020FD0DBFC227C5779B02C4E80437A5BAD96766B0FAC8D955615C + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\GPUPDATE.EXE\10.0.18362.1139 + 0x3e4 + 32 + C:\windows\system32\gpupdate.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d3ea0182-74ab-40fa-9ac9-05651c87d748,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 7056 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e4 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0265a7c6-70f4-447c-b68e-e79ed313300d,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2656 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0245020e-33b4-45a9-a0ca-e0483dfbd5cc,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3fb73e03-d79f-4b23-ba41-3bc59099e399,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0c4c62c9-9940-4057-9764-fc0d06649fd0,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e985bde5-9b74-44c6-970d-c2f4d5a1279e,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8436ea99-84ec-49bf-939d-a06739b20d35,"4/16/2021, 8:55:04.846 AM",,,,,Negotiate,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf294696-33b3-4d50-be4e-a29ce0421c70,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,17e11dc2-647f-42d7-abf6-55502ea5db69,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c688f4c3-45f8-4a75-b702-d36a5498dd0d,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cc46fb1f-59e7-4812-93e2-d5b01c56149d,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\ADMINPC2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,767b045c-9c32-4f49-83e9-2d2cad22c232,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO.AZURE\ADMINPC2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8684d097-18b0-4c25-bebc-adbf77d34f2d,"4/16/2021, 8:55:04.846 AM",,,,,Kerberos,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ADMINPC2$ + CONTOSO.AZURE + 0x1237845 + 3 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1661583231-2311428937-3957907789-1112} %{S-1-5-21-1661583231-2311428937-3957907789-515} %{S-1-18-1} %{S-1-16-16384} +",4627,4627 - Group membership information.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7e9d2fd3-d33a-42b3-99ea-244a7ebd1675,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\ADMINPC2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,02f13426-7e37-4f99-b525-c97e240b8f24,"4/16/2021, 8:55:04.846 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1e34fb-ba86-4069-90fe-39c2f95942ab,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cbb787e-6c79-42eb-b7bb-0fbf037f1256,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbd779a4-5724-4c0d-a089-6dd6550ca94d,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,bf0c498d-020b-4434-95ec-497b7f520a50,"4/16/2021, 8:52:35.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,072b2996-ff58-4ea3-bf7b-a8460873cf3f,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab7f8d52-f0b7-4477-8c76-49bb29a48948,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9238ca01-9fbe-4835-b138-78ec17a823ce,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0732308d-b44d-4a74-b888-23c3c618a035,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db55b397-22a2-4b0a-b199-7af3cb462e57,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d273db01-34f8-4cfd-b98e-9993d6ff08bf,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\SQLAGENT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20360f3a-9d62-4833-a312-c850d2cfad70,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8556b4c-7139-4f9c-a734-aa61e7e4e992,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3425e1de-c826-44a6-b248-030f27a1f9ec,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36f82a91-b8c3-4441-91ff-76083883024e,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c4ab24-240b-4c6a-b790-c02d77244c0c,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92622d05-ce73-46ce-84e9-1bb617a73660,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99811bf2-f5db-4ea7-a850-25ceb6a7c67d,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9804edbf-5cea-47d7-a1b3-aa35784ac28b,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370de8c1-2ed7-4d1d-8775-74144a5c5ff5,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53d68a7e-9eec-4493-acaf-5eda11d174f3,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80eeffda-ef0f-41a5-81fe-6a8da45d21ae,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b69290-6885-46d9-98f6-bebc30f5dc7f,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0cd6140-4d7c-498c-bdb0-63e2a7810a1c,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87a62abe-5e35-4a77-aea1-4a5181bf3447,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37a46f84-7f47-479b-8d54-33e0350d5ef2,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5109862b-9248-403a-845d-a043a6c11ae9,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,981ae775-8dd4-452e-bbe6-19b621e4833d,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ede3087a-bb60-4150-bf4d-ab34acf78711,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d959ef3-d884-4fe7-b106-1442718a29a6,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e86ebf7-b51e-4cd3-a13a-2baa18310a9c,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e343422-698a-4199-99fa-b5cb09d6d2ae,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02f19d0-794f-468d-87d0-2187d7e19f4f,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,878fe3d8-fbe6-4446-a701-e1690345ed46,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b0d3a4-4d79-4df2-8b64-1c090d0617f7,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01f7e84c-ce3e-4ceb-a4dc-f806ac6a313b,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7203ee70-bc18-4523-8c94-6d0527dd015f,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2698695-ab8c-41cf-9a53-be1974724593,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67f73236-8ab1-444a-af68-2e2f0febd76e,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee0aeca-9311-41b8-be02-0321c2a2f97a,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce62d16a-b487-4130-b632-a1055a44d325,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34faadb7-80fc-46ca-bff8-4f0b3741d19f,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e4cdff7-c47c-4229-966a-7294266052a9,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a28c84-d13b-4d64-8775-ffd270da89e6,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef7a7b1-ddb0-4b23-bf97-5f3948366180,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352fdf20-690f-449a-8340-0c5575e7ff32,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,382d15cb-ee9e-4ca4-aee8-555744f62b3e,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d09cc073-acf1-4937-a53b-b2591fb4f053,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,edabda6e-8fa5-4e5a-9668-c0c4caef8f69,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,470f978b-51d2-4b55-b25e-79deef13c047,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f06d53f6-f08b-48a5-b601-257bd470280e,"4/16/2021, 9:06:24.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,41125bb6-75f2-4cd3-92ca-343f3852d973,"4/16/2021, 9:06:24.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f150a8c8-077e-4e5c-8324-2ad3773aaaab,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fb2c3016-1f01-4fa2-9282-9c78d457fcfe,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bb9340e1-0de9-4332-ab69-1d841efc97cc,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eb774171-520c-4e65-8ac8-fcea85fac78b,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6336b4b3-201d-4cb1-a91b-07ba169b281d,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2afe46a0-b3ef-4e61-9a20-1df5e92791c2,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6b9d11c4-5ba0-49b2-8013-cf76817d7c55,"4/16/2021, 9:06:24.060 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bcc9dc0-9cb5-4c44-a18f-fca34a15ea4f,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08e83d57-3d6c-42d0-9121-f6e21416086b,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3d8d89-3c75-457e-8dd5-91afd23eafc1,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6665947-9444-4563-889b-2a54920042d4,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c63330b-4b4d-4d46-85dd-a4bb36b0f4f1,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fff13c3-ea0e-468e-bc5c-32903b1b0cae,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3460cfc-6f20-475e-becc-05209c32359e,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a30f4167-fb1f-446a-be5e-5405150e4a6c,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90739f3c-a406-48a0-bf75-a5cb71c5ba7e,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b4d5418-7148-4da0-8638-f59dc1198aeb,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69976a79-980c-405e-b61a-3c2d4719677a,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69234736-7e11-4165-acc5-e2dbc71f1476,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fc490f0-3ea2-4d28-b224-3b96ea708913,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82cb1ce8-0827-4452-8c38-db244fdc7c23,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f3004d4-06c8-44b1-ae7e-4ffe6d6db0a7,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,347a3e14-9474-40b5-a6eb-77eff74d24ed,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,870ea954-e334-4b5a-a6b4-c04914fab217,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1948f292-7cd7-43e0-a2a3-eea1ea47217e,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab9c16db-cd14-4ffa-b070-6301e325a190,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b62516a-c55c-494e-84b6-29a66452cfc3,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,019b6ed7-5140-408d-983b-34c01879ba92,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbd1b6a7-ab32-4af4-8c21-c5156cb51c67,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c07bdafd-e5d7-4a56-a716-4d0b9e999982,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a0c0c1b-3a98-4403-9a4e-125e58a47bb7,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bf64a04-b49f-40b9-a39c-400f424dd616,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79d77a1e-a549-4daa-a9f7-57213bdf5cf8,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b38d8ef-607e-4617-94f1-da236c1fc941,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef384cbd-9225-4cd9-87c0-22c5fb2feaac,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58a272f4-ca71-45f9-a1f5-d4edf21de734,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac3d3f55-f716-4e51-849f-a345bb57a72f,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b75ef5e2-1d2b-4fbf-9949-95a0a725e320,"4/16/2021, 8:52:42.717 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a57b95a-9bbf-4d1d-8dcd-91101ddcd1f8,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,192dd80a-9fc2-47c3-9299-c9cc444872c0,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da16252c-666a-4cec-8a60-8d861a85be9b,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d13483-6f74-40d6-879d-13864b9c392d,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,844fce34-94ab-4b6f-a10b-bb186bf0b277,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e3d334-bc94-439d-9899-b870ff9faeb2,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5a7b5e6-3e7b-4f96-868b-1dbe99849f24,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34765e29-f0e4-4764-a9db-0f8f1826ad17,"4/16/2021, 8:52:42.717 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7c465e3-9a27-42a6-a8cd-9b65183ee773,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d623460-c76e-4a60-9d8c-d822cf4fb811,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c2c7f73-0f1d-497c-8a45-1b14ed4d135c,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9df2c5e0-ceb6-4555-9e05-c83214465851,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e4b403c-ec11-428d-8972-6e077ae18618,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acbc34ba-b3a9-4fed-9584-5439d010a0b6,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1aa2594c-856c-4a4b-929a-24af56656b16,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad493a65-534d-41a0-94a5-950000abcd67,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d950efe-87da-4766-9472-3e041ebf2083,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,575a46f2-72b6-4543-8b2f-d03c6f6ef932,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a12f241-0245-4d55-973a-1b1949b33f1e,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9aff459-581d-4e79-84e7-67a80ce80c2d,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a26cb1f-6cc5-47c2-8ee1-22a2a5602cef,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b04fa05-0ee0-46ee-a472-e874fa7f0001,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da45baf9-c050-4bc4-bca8-3700825d68d5,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c757c240-9a68-421f-93f8-77e8904c20a5,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,356b06ef-52dc-42b2-ba12-b71202f4dedf,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,027f5d73-218c-474e-9909-bf5a5b88cb2b,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d49669-4450-4e2a-a132-121bf4ee71f5,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b27210a3-7f67-42c7-b830-3761575d78f6,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d698ead9-251c-48ce-8e07-5b7cc90fc6ab,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f858f89-0ba1-4eab-9c7c-c41f7d62b71f,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493ea58d-2193-4061-afee-e97e87956ed8,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56f866c-afb1-484d-b6f1-249c06772959,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310236d0-7434-4b5d-9127-fbe1e02fdbe0,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b42e75e-a9ea-439a-a0c5-167fbbb1c2c9,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,674fcb6a-bc2c-4b2e-817f-bad4bb18d4e3,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bff22af-f3d0-438a-b774-01ef6bcb0c9a,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28e30cc-a96b-497c-8eaf-735f1f0579ab,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fb947a7-3bc7-4eca-9aa7-bccf7b0e964c,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec58a55-dfe5-48d7-80c4-090fb2038e9c,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d9a82ab-5989-4c1a-8ffa-b7656ee2a7d3,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8692 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d0f53f91-c0d9-43f9-aa76-c3ddb376a34f,"4/16/2021, 8:52:49.266 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,70cd4a90-b7da-4d76-8248-6891b6fe854e,"4/16/2021, 8:52:49.266 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,970448a1-c72c-4842-953d-7f2134eae1c4,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5e9e43b-3c97-4a1d-8632-69e7ea39ebb1,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,757296ef-474a-49e1-98ba-21bcb00eb526,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,864e1f03-4f74-4877-a3b5-c71265744c90,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,489235a7-0108-4ccc-b069-ae2ca1bf7a4d,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed41ec9-c6d7-4eb1-b45d-0d3a73bb854f,"4/16/2021, 8:58:03.659 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b42a4b69-1bf0-491c-aa13-088e76e3db13,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a01a2ec3-b6a2-46a1-96a5-8ef7ff700270,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a4c3323-d1a7-48f9-81f9-f03860aadf65,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cde50c5-cba4-4611-ad40-fa38f9f72c0d,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83ff0c83-6ec4-4bc2-9382-75e75bff3b14,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e34c3e31-dead-4096-b166-ca75b6a3d544,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2d33777-f23e-4c23-b531-4c24b84957a0,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e1b3e70-8be3-4415-82b2-3476c3ba84c0,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3eb540bf-54b2-4ade-95df-093df1c0459d,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74c7c3d0-3719-4bf6-8ec6-5806c47faf6b,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81a61f13-376f-41fa-bafb-3ea21dd17fd0,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a99e23a-c26d-4785-beeb-c665b65e7c51,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f7c6f3d-975e-4df1-ae6e-dc11a9ffe444,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,897f1ce0-a8b6-49cc-872b-43c8e975ee0c,"4/16/2021, 8:58:03.659 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fa5ce2d-757c-48c7-8372-0f8553920a87,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38549768-b511-45ad-a3e3-4babacb22b3b,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e29f1a6-3f77-42e5-a7f0-1ce051881cbd,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f05cfd0-d8c5-43b5-a67c-a3329639c033,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,983fd7c2-710c-4514-b577-3d878ee59562,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ce0875-1fbd-4c74-9b3f-a63b965f66ed,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1768e9f0-4965-4c1d-bd3e-e9cb18d26504,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\GJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ca55cc0-5fd7-4cfe-b633-18d48a507769,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c03d5d39-fe9e-4f82-8a4a-806447a5b923,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fa61a6c-2ece-4076-b04e-8708c38c0f5e,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb2293bb-95d4-4cfd-9192-2510eb1fe682,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dc94c6b-c5ad-4022-a3af-c27400e9c843,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d71935e7-42de-4355-8c73-e952ef54dd6c,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00604140-00c4-4af7-ba38-5c6f70540f0c,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,762269e1-48af-4265-bad7-6d37693c265d,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0a1ae70-a982-49d3-b3af-3dcf0c73a786,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17b8d7f1-81ec-4d11-a9dc-3e50258fe5a9,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5559c2d-c6b5-4774-b221-ed072a62583f,"4/16/2021, 8:55:08.644 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7928ec1-4861-437a-a6ec-df8e60fdf4bd,"4/16/2021, 8:55:08.644 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81cfe357-5cd0-4de5-9c7e-918e91714220,"4/16/2021, 8:55:08.644 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5406b287-7aed-4f8e-8ac4-f219f1c564be,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5b65957-817d-44f2-99f6-6ab92070a5ac,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8da62ab-b99b-43a3-be26-1afa1d979330,"4/16/2021, 8:55:08.644 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf35a5c5-40ca-4850-bb3a-1cc432d5baf4,"4/16/2021, 8:55:08.644 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b692768-1685-49d5-8eb7-a35313a6331a,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9735eeb-2ba2-474b-9e5b-1dec10819b61,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b9b289bb-0b74-41a9-ace3-5f0a27b151f4,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7d3e008-df27-4b4a-846e-df6e62e9a0ff,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4668 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,232e8269-bd34-4804-ad91-e57bcb9ac629,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5228 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4b023c5-c114-4264-babf-f75a042770b6,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e70fef2d-b1b6-4f2b-88a5-13cbc2f30919,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,80dca99b-a8a1-4c0c-8888-9cc863784942,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4142fcf-8d8e-404b-8b3c-aa33ef5585bf,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3f9dbc37-ccb9-4294-939f-0e41b0ded320,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4868 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,38b52f56-47ff-4233-9514-fe022b8a4d9a,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9524 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b1fb8779-794f-4f6b-b952-117dae7b7d67,"4/16/2021, 8:52:56.986 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14260 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9a655013-d322-4057-aea0-c2a6b02b9569,"4/16/2021, 8:52:56.986 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22ecc8fb-5ebb-4999-9e5a-82b4b6cd9a1c,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31e85e46-e679-4b71-8904-6a145a87cd54,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54868f41-d4ec-460e-a028-cdc0178f291c,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d62b616f-f45c-4c90-b120-f35035e78e8f,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c3353c7-a71d-4374-9cae-fce18b951326,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b64028b-6024-4baa-89a8-4d80d866d8c4,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c3affad-35e2-4870-9f95-d21cf9652da2,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\XCODER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,243e8d04-d4c7-4a92-b140-bbe87600fb30,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb9446b2-b989-4afc-8abf-e17837b3e71f,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e20d58d6-a5e9-4904-b7ab-a6f4aec8a1e7,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ea69c4f-415e-4df8-8d2d-3ffc1811fc0b,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1a56040-3147-4849-9575-b3e57e2e8bac,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0368a5a1-c996-4ce9-b976-8517b098b4c5,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e01725-c6b3-4186-b67b-102d27210fc7,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a329c502-f07d-4c9b-aba1-8fc0bcc47f7a,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a84d189-94a7-471a-9bbc-355929815038,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4300d5b-e621-423f-832f-a4fb86762ecc,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afe6b355-5a2c-4dc3-abbe-21b02e4c13bd,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,150fc1bc-c7b7-43ee-bb10-65d0fa4d23d9,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11fb2fa5-1b3d-4bbd-bab5-64cc42adf07c,"4/16/2021, 8:52:56.638 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4aed14c-4d09-433e-a8db-47299371c311,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fab158e5-3848-46b8-95dc-db373a894ed0,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50f6cfd1-a5b3-4786-bfbb-ee58b36809b5,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24065ce8-43c7-4f76-acb0-1a34ed07412c,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cba0eb5-016f-40bb-9f0e-31b7697be615,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad17df5e-fa7b-4360-9713-f6abbe672b21,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,186cd02d-5b0e-4b0f-8471-7c3b7255e271,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf03f94a-eefc-43ea-a31b-8bf923e69712,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa938758-19c5-4673-8617-8ce46540d599,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ac9b646-47b3-4861-8acb-d463ef79fd17,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,672bafe8-bf73-42ea-ae4a-de5493634218,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2568b93f-4fcc-4731-b0cc-7e9d45d970bd,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,548da6eb-4431-4149-9ef2-e6331bf31399,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5956b454-fe08-4361-8493-ccf716d8d04a,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b3fed8-2887-4965-9723-60a2c5191ee0,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d559e434-15e6-4a2a-9efa-28cbc3824dac,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852af42b-65d6-453a-8159-893455312198,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5456f7f-e339-4385-bef8-8f8d42a52279,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e23e3673-204f-48b8-8eb9-a977a9c71b34,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ebad06c-0fcf-490b-9485-a18928f13a85,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a5d412-f862-4bff-972e-bbaa9bb65f88,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a9980dc-a85f-4934-b761-40924d4caf24,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,575df78e-3dba-4344-a7cb-91403bd03f76,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6744f7c6-001c-4b19-b257-8550cbd2ac2c,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28723db0-ea30-469a-a6a7-a55a23c1cdd0,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f199bbd4-4b27-4cdc-a093-384988a79d44,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11c5b49-2656-489e-b699-6eda752befa2,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,294cb041-310f-4f0e-ab10-6d50db5452b0,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93057fb1-4edf-4580-9aba-425c8074cae5,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02aa4560-b5bb-4eac-959d-7c05f43def33,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c1de718-ed02-4b6e-b357-e780194ba4b8,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a4482c-2258-4779-960b-f031487b76e6,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb489e91-09d5-4cc6-9c23-570d770478fb,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fb1652c-7d5b-4def-a3bd-9ffa8c14021a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b39b98ce-bbb8-4ef4-85b1-ac125dba962a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca03dcae-e87e-4765-b2b4-bcae1a4343ef,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f439a8fa-18b3-49e3-b6aa-cfd1e1685a45,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98378b3a-80cf-49c3-b812-3c887975e96a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76bda2ba-e123-4815-883b-fc389edd6570,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e567ec85-3af4-4350-ae03-86d1dc1bed6c,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea19ac9f-9208-40e0-9a49-3a0f47174ee6,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a824be78-d6d9-48c0-99c3-60ee42e961d4,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f9f9ae8-4e67-499f-a1d1-e806e3e5864a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dfb2205-bc5c-4b96-9ad2-1e30153ab88d,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73491d66-ba20-4491-88f9-e3af58590863,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6570f341-b0ef-4c0c-b85b-5654cc0c7311,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29e5f7e4-dff7-452d-b54d-9374e162f8c3,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99256244-7bec-4ee7-8a5f-29a62e0017ee,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e81a1083-3356-4695-b1e1-0e556363fa29,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,111aacbe-d11e-4861-8819-d7c929b5ffca,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1710cd15-a35b-43d7-abef-22454227d8fe,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2995ca3-76bb-4450-8eff-dc1ff7a0c18d,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68a457c1-7050-4fa0-8c34-58f6068c33a7,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19883183-41ad-4469-b285-5d1c26fe5e78,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,647f7019-c5f3-47ec-8ac1-009bb7c1e309,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31635820-c012-4a36-9ec8-1b533f00fb06,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e0ce769-71f8-486c-b516-ed0b3ee69398,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,52903282-c2a2-4ea0-92a2-18b95854fdab,"4/16/2021, 8:53:22.106 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6956 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c432606c-ea56-4ce7-82af-aa2eb5dcbe06,"4/16/2021, 8:53:22.106 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4632 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fcc4333-e51b-4394-a0aa-429d0eaf1372,"4/16/2021, 8:53:22.106 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dfeaf69-807a-40cd-9cd7-c363b0aa0e09,"4/16/2021, 8:53:22.106 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca92a261-2ab4-465b-8bdc-58685f0f8f5b,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a674602-b903-4573-a54c-c087d78e832f,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45e9bb72-919a-4735-98bf-edf9094d0332,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e599996f-cc0f-49cb-bd6f-069fa2c93ba0,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e65334d4-7046-4821-a324-c9dd001b0cbb,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19533bd3-5a31-4af9-9816-98598700c1fe,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49bb7f3a-5492-428d-af8e-d1d3f3a928aa,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85266138-b3ee-480d-8f53-8bb1a22a94fd,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4351dda3-951a-4c0a-bbb4-36eb62b0f950,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4863af59-1313-4f51-896d-23c1fca0adcd,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aec4d49c-bbe9-4c27-ac36-1bc3317a11af,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf04701-95f3-45bd-8973-891c1f5c44ed,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4980d2a-ae16-4181-bc8c-7fff00441f7a,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62259acf-0064-43a6-b48b-5545cdd8d4bd,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,680c2f03-e071-4748-acaa-7ca6108ce7f2,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b5d3a6d-b0e5-4690-b055-69c8bb041720,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bc3c1dc-10d6-4ebe-8399-1a1e1bc393f6,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f505de5a-8ac6-4cf1-8e23-cd912b4e6099,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1957ca32-a5a1-4a56-ab6d-e3df419efbd6,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5e34b8f-866e-450a-b50f-2cd871d68602,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4269c212-b9e0-48c5-bd46-ecf3672a2a77,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d46df274-b3e8-438e-bc73-6855a403edce,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8d17b4c-8929-461c-bcd1-0c68d75aadd0,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1edc4899-ff43-4418-80c0-70f6236ae56b,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4818fa9c-4611-42a1-ac79-fe5be675a2cb,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a21bf5-ca22-4366-8c2c-c7e3d8a5ba7d,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3c942fd-ef78-414c-83a6-a1d012bae159,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19937ffc-ff33-4cbf-ab9e-2d587be106f1,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5f46aa-f7e3-4be6-9d5e-bf4019cf67dc,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57233f72-d6e5-466a-8183-a0bff82bc541,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,451e63eb-9868-4dd9-9c1b-e6ba162a966e,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,32bbdf1d-661f-4782-8bbc-7954a2bf1d6e,"4/16/2021, 9:06:31.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfbf7046-d7e0-40a9-974d-1683e418f211,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de3b187-3b76-43f6-b0cd-90881c1104b1,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5963891-c696-42e0-bfc9-c425b49d0440,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\DXV,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c68d322c-63ed-4413-8dd9-76ead8fd0b33,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59ffc3e2-0f25-4046-9fca-22f03bbf7222,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc6a8003-4145-444f-9aab-31de57095188,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\LJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,106cbd62-93a6-4a5f-9575-874a2d05406a,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\DXW,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c0be4ec-dc85-4d9a-ae09-61fb66244fcd,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e90b6b8-b049-4ac7-811b-45d207d7703f,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22695a67-6ef4-48f6-a1cd-ada3827b9e1d,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abef385e-61b3-4858-9474-2aba2405a341,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad487761-23dc-43c3-bdcf-b4903b60af39,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f304d0e0-4ac0-48cf-b5b7-87edd834be59,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f97aad1-323c-4890-91b0-1531dd34fad9,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d269490-67a7-460d-95e4-4c55303403b7,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\DXZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c932a08-2997-4313-9e05-7b8e77b98f45,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a2fafd2-9c70-4f86-a91d-56825f90bd80,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1190e307-da4f-43ce-ba78-3e09416185ed,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c68efe31-0c1e-4e5e-b9ec-913721c1023f,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ed4b504-2033-4946-9329-61bde0f5dfa3,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9153a974-ec97-476d-871b-df3fa83e5ec5,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41b7f4af-a58c-4596-aedc-c7740fe5b891,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1b6dc9d-71f7-4cee-8216-22403f9d0ab2,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15087be6-951d-42a4-acc2-00391cf577ca,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b374cf81-0de4-4248-80c3-d1b8d3e12308,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13aedf8a-6ab0-487e-ad15-89bc19f36704,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bde6135-e8b7-48b2-abc9-4807c2fc27ec,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 572 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fbfc6c89-d1eb-4f1c-ac80-69b7e7d1119f,"4/16/2021, 8:53:41.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6344e91-a0a9-4f91-882e-8a48189694e5,"4/16/2021, 8:53:41.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f394a087-0794-4fa8-b50e-a6aa5d72857c,"4/16/2021, 8:53:41.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4051c542-12ac-4dd0-b922-5b2b16338c10,"4/16/2021, 8:53:41.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dad9b777-3943-47c1-8988-84845832445f,"4/16/2021, 8:53:41.410 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e1bb074a-3f13-49bd-b163-50953d7e0180,"4/16/2021, 8:53:41.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8ee2f2e5-5883-4e3a-8cec-f39cd8f77d34,"4/16/2021, 8:53:41.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,730dc810-6346-438a-9a39-23a42c6b7075,"4/16/2021, 8:53:41.410 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf8f01bb-1dc4-48c5-9a2d-179873f5361d,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55f1f88a-9c9d-473e-af44-888bb2b5c829,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea0e798f-56ad-49ef-81c1-41421c6d4325,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f466763d-3792-4e78-9c8b-5b6f2d75f134,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e28d3d94-5aaf-4569-88cc-906df2207038,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e92fe94-0b62-4e4b-9b07-d6453d607a8f,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be6c208e-b7f3-46d3-8fd5-4579d471b39c,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12d77d7c-4cef-43cd-b410-148ae21f6ab5,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,226a93e1-01ac-46af-95c9-97d2c481abe5,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a60039e0-0153-4b94-acad-4a30cb64bc42,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,030b612b-a327-4531-a0e1-b21140ffc82c,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd698f1c-8a1e-46fc-8e8c-427b52443037,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6dacc5a-c768-4576-a87a-d00e2d48d6c7,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,783c9c67-e329-42ae-955c-81f723110aa9,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40f94038-0969-4d51-a16e-1494bf1baf08,"4/16/2021, 8:54:57.634 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48ff6577-46a4-414d-94c5-bff8285ca844,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e39d6bec-09be-4e3c-954c-11e5a825a65a,"4/16/2021, 8:54:57.634 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e90d7b9b-894c-4241-8895-5eb64a04bead,"4/16/2021, 8:54:57.634 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00b2bd4b-c19b-4306-b4d8-0c5bd5aab848,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63f85e36-60b1-40ee-b83b-cf0e8566fbea,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,029e1712-d893-4a5b-ba1e-ef891a46f18f,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d64a8ef-fa8e-4327-adfb-6e7cc19bbac8,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a737632-3827-422b-af09-ed87506e2afa,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2abfce2-bef7-493c-b579-7c0ad29fa0fc,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4af0703-3cc7-481b-98d6-fcd521ce78fa,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9caa5e0f-1bbc-42e3-b387-9a46216af9e9,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c242fd4-2879-4d14-b7de-3b58a2e83cee,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fd08d11-9c2e-4e83-8c37-3fd6a6cc5764,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe182a30-2570-483e-8fca-5ced4a15e6fe,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03a892fe-e6aa-411b-841b-12b5987cc746,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8be45759-af22-4fb2-a0c1-79d4c27bffbc,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81a61931-e657-44eb-8757-40cba7d70907,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de815c1c-5303-465e-9744-619391a38939,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f08dd7e8-bc7d-4f23-bb3f-33d9bcd4b93d,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b101181-3396-44cd-b614-b42c8f24cded,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b72e5033-f2f6-4e95-a991-ff8d1ac5d122,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,740849e1-7df8-4eef-beef-7988865dad05,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859bb518-3e55-427c-b5d3-47e5fec4b1b0,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dadbfd7a-210f-4bfb-bead-0281e799dfbf,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e783c90-5ef2-4a65-a13d-4abf76040d61,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,366c7303-f5ca-4f3a-8422-38d2218f73d7,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32361ba-338a-4c6b-be9e-c067e0c03ff6,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3b4056b-48f9-4043-bd7c-b9acaf69a5c9,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb71d46-368f-4be2-848f-52e4527423c2,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa3748b-9c29-4e3b-8e19-4214e27e74d1,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88594279-313e-40ef-8913-900bf4324143,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,791d2ca7-6f34-4f22-978d-2f36b4bf2c4c,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e7690b6-2135-4a27-9179-7ab3ff21c465,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9809b378-0e26-4001-8901-ec6b18aee911,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,273df985-c454-4670-83b9-fb3646ad7614,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea8bb349-7a16-43d2-b058-265570965539,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d90b8a-7165-429c-951e-dcb82b41caad,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5948c87-7917-4676-acc4-4b15198011fd,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9beaea13-06f3-42bc-b438-f6bcdac10982,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4afa87b8-4365-4a42-a80f-d7ec3ba8bb8a,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8474c750-6365-4f0e-834c-71fbc1d10260,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68586c41-3aee-4836-a209-49ea4464eac1,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c65c3d5a-6bd2-4be8-8162-6bf93c730d2b,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8712cfc-5bfc-4541-8b3f-b3724a078614,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aac75e6-b686-4745-b63b-76b4183a5b97,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c654678-1b29-469f-a45b-445b1d494919,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,153a9d61-0b45-4d6f-9c2f-492d52027c4b,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccb271c5-17f1-4a8d-9144-a80b39782f6a,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6be6021-4df8-4653-be73-5d05f1c3d3f7,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,051548d7-8114-4e25-acfc-0813543542d4,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85472090-8dd5-4e9c-bf6a-7137b276c8d9,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb52454b-e98d-41d9-a2d7-bc2745c61b22,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed23806b-9800-4b43-b34e-eeb4141abf4a,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ed527b7-9494-4732-83cf-25806ce1e83a,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6ef8bfb9-9f6a-4e8a-a8cb-02a2c53cddc2,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,79b30601-c2fd-46c3-bb44-31e498a234e3,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4c9a3e97-72f3-448f-8f19-e43cd4bfc9dd,"4/16/2021, 8:53:53.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c11a8178-8bb1-45dc-8cdb-020fac325adf,"4/16/2021, 8:53:53.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6c25c320-6f80-4f99-9c25-23d7ff0d19d5,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5131ae33-b655-4ea4-b249-7e2ea61277c1,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d83fc7bf-f6da-449a-b76d-b96c4f623905,"4/16/2021, 8:53:53.058 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5332 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,66fd648d-4d25-46f7-8460-4f5e3bfd5d89,"4/16/2021, 8:54:00.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cc6df690-cc1e-41c0-b8e2-73e84b9df94d,"4/16/2021, 8:54:00.585 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,7bc1f3a1-724d-4772-a104-035bae89ad19,"4/16/2021, 8:54:00.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,530539c8-09bd-48ba-a84e-b90b7544f929,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8144 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b92f34b-43fb-446c-9f9c-b93d385cb249,"4/16/2021, 8:55:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0a26f94-571c-46db-bc29-9db9e8edee37,"4/16/2021, 8:55:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e16d0c25-6ae6-4616-8c4c-f36ddad746e9,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1280 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f4a7e46-d844-4dd7-b9ea-a40cc3ec3692,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c6ec55ab-83ba-49ea-aba9-f0b341e9b669,"4/16/2021, 8:55:02.615 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,ce1c537c-60da-42cb-879e-48926da877cf,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1408 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1b35c533-acee-43e3-bcbb-956685abd231,"4/16/2021, 8:55:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,55b8e635-369a-40b7-a696-92f1232a2e6d,"4/16/2021, 8:55:02.615 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4324053-d19b-4e7c-8b75-6f862c61d23b,"4/16/2021, 8:58:18.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e73111a-2008-43c8-8fe8-6db2c30c1cd2,"4/16/2021, 8:58:18.114 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,00890aee-b488-4127-ba63-7b9da65d4aba,"4/16/2021, 8:58:18.114 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c591254-960f-4d1d-882e-67b8ac82c532,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f405891-97d1-4ab5-8643-efa61841c7ff,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fa884b3-476e-4e22-a850-ce71ba6787f3,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8976 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1619d43c-fca0-4b72-9399-f645269b7aeb,"4/16/2021, 8:58:18.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28aeeb0-9423-44ff-af74-c354eda10cdb,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96867611-35e5-45cc-8571-112d25769dba,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,56224344-47cc-4d61-9f1b-1e849356333c,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de3e567e-e746-4cda-9bc7-95d40a269655,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2020 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cc16b5d-e581-4944-a403-44aea431cc3a,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c43c4a86-fc1d-4b5d-ae32-bbaaa75007c1,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df05490c-e6e2-4fe7-b247-b271ca3175ce,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,039c896c-090a-4ab6-bf2d-6b1a8cbb4093,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b24cba-6f42-4841-8b89-ae5c32c16e7f,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14255fa5-abee-4eeb-98a1-04c5b7e80547,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4bc3b0e-ae1d-4760-8371-510526d1d3e8,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f128f639-5b93-49ce-9cc3-489cb8f5a330,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa66fbf8-d4b9-43ef-a3ab-6ea4649cdd0a,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c34a24c-e373-4cf3-b3f6-e7c7e9e803dc,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01082588-5137-4052-9e68-d9eea490005c,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88075cf1-a773-47a1-ae0b-7d90f7bc91b0,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16132891-3533-4331-85df-b69771420be2,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20975f36-273b-43fe-ba86-9e8843482b3e,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c951a6e7-bd53-4e00-834e-a5cd0b758207,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7124 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + FF7B647787C49A3CB19B63470B8958B6FB6162AA4EC4B03E78AE1F6AE1ECFBF3 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.14393.3564 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,bc86fae6-5313-4101-a8c9-ae9234411da2,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8028 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.14393.3622_NONE_7EE8048822057142\TIWORKER.EXE + 32 + 5529E1D5191D7E786D8395381584628F04EAB2687886D41DC981B6AD056305F3 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.14393.3622 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e1eb6a2e-db44-485f-b207-1f06936fd389,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a69245a6-4ee3-492f-b1b4-75613392061d,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8a6470c0-d273-4dfb-8ae9-311e80f0d533,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6856 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,39b236ed-cebc-4eca-9494-f93e75b79410,"4/16/2021, 9:06:37.280 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73d9e6cb-60f2-4712-876e-4c8ffebdc683,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2257b4b6-1b41-47ae-bbca-b776feebdd3f,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d0659cc-bea3-4ab6-b13e-cbd5186734e4,"4/16/2021, 8:54:22.632 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbbe2b01-95b1-4b12-91f9-4801c4ce3314,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ebfc2c9-61dc-4012-878b-288655c84d12,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c9d6638-7093-45f8-8506-fb33e3942a1e,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09e2482e-86b2-4e9a-a794-5e671141b9ff,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cb5f420-f151-4b17-9fc6-dc5c5dc93c25,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a8ce080-a243-457d-aa8a-b3d27057993a,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61bbc28f-a17c-46f0-abef-ff1440e144b7,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6294fba-f035-4ad2-b4fe-a868cb0e8458,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d78ffb3-f8a9-4fc2-98b4-525815ecfbf8,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2470a5ac-9b23-437d-9cc2-5d27c6da5bd4,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf2215c0-8405-4808-b40e-d77598c010f4,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f808ef-9a9f-4d57-9450-87ed7274587e,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,282da755-3c6d-4d26-adee-216500bed855,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59b0ac00-3c06-4019-9756-a5af5038a2e8,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cff110d-3d94-4800-870d-1d2e254059c5,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4883749b-fd7b-4a95-b8e6-70b47e0796a2,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8b6d4c3-68ec-4f0d-af98-4b96184a8708,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20b376b4-e656-4a06-a00d-1e9a93c0e258,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad3cb0f7-d61f-4d6b-ba10-ffcc44ae1d72,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +CONTOSO\ContosoDc$,Machine,ContosoDc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + ContosoDc$ + CONTOSO + 0x3e7 + 0x908 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-01-28_130107\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9a259efc-db9b-4c88-bb3f-eab070fa783c,3d8998ff-63bd-4342-a204-3d1c4e41e199,"4/16/2021, 8:54:30.270 AM",,,,,,0x908, +NT AUTHORITY\NETWORK SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 344 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 61725EEE1DAEC49A0B1B0BA1A1D15FE7B3E5AA212C56505FB073538A487CC055 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.14393.3541 + 0x3e4 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d1576d19-5f72-4c2f-b4c3-f75c77487121,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5956 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D4DA288C309C621E40A1C6D23E008F2C243A57E86613A4D52157CB0661B6B44F + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.14393.1198 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f7ea57ab-d71c-42f0-9cc2-bc392b71ab46,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 12188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,19cd8889-dcea-4b97-83d2-ad6e965004ce,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4208 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9628b539-322f-49e0-b258-f6f3829ab10d,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7968 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,73cdfd18-037c-406f-ba21-fcdd476cfe81,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8784 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,acd6908d-4b72-4c31-b18b-286025e9cb01,"4/16/2021, 8:54:31.561 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f16394f-c39e-4922-9cb6-abd14e40934b,"4/16/2021, 8:54:31.561 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,45e772c9-897b-4a03-b7e1-116b7aab0070,"4/16/2021, 8:54:31.561 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,599cb069-743a-4077-9e60-a26b5a2430d7,"4/16/2021, 8:54:31.561 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f8391614-588f-487f-b9ba-2bbcd0519845,"4/16/2021, 8:54:31.561 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,005da578-2649-4dea-8653-bb1df04e8c2a,"4/16/2021, 8:54:31.561 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56df299e-ece4-405d-adc3-8a78476a6854,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0b1dd0c-6371-4ce7-8e6d-c2d2187d6b64,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e551c817-5f61-4461-a720-64a0d6c8eca1,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbbe74ab-fc19-4b78-9295-41d9ae87852f,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,196a9faa-dbeb-4a46-b20d-d908a3b3e22f,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5387bb1-b2d2-4acd-8c5c-3a645f04614e,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5b432a8-9404-4cf0-b045-3b63750f508d,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,446e9270-6db1-4a16-a60e-b2ac75b341ba,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2656d7fa-e172-48fc-84dc-5753c1b0a6ed,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99440288-ccef-4885-ad96-dea90ac07925,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53ed77d8-920d-4abe-861a-62c019943e63,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31dba10c-838b-40a2-a2d6-6dfac54851a4,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9208f696-71ea-4dae-9a45-a3688062cd09,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3edd4e3f-e3f3-463e-a7ea-e96b6e0e60ba,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c771dd0c-a041-4f24-a694-48687b78270d,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6735319-0482-4d60-8cd2-7a97c614d5e5,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1510838b-6ade-486c-8c7d-8055f9faa9ee,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,689319bf-512c-40b0-b0ac-1c96fd5e38b0,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccec7568-cd0e-47c9-844e-3e8d2e0492df,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fc5d05a-b084-44ba-ab1a-a6f6b0e90721,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf7326d-d1e9-4319-b267-decdeed58aba,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00da749f-f508-4450-a1cc-4357b6b291fe,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,124a33fe-05c9-4ccd-bd18-85d687800425,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bae9709-87f3-464b-80f6-0f5672b20102,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dee8a4d9-8927-4aab-a733-75e83e156800,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f17515e-cbe9-457c-b166-738f3f2f5756,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5a231f7-35cb-443d-99b1-b13053b49009,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,424309b2-4464-43fc-8c5c-f582f1b0b5ff,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\CORBIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a46db79f-07f9-4169-b9c8-3d922c862624,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79f48ff5-f862-4f93-965b-7a7ba03e6805,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,408c47d0-1ea8-4694-8576-b045560ac0da,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebd6b614-7cd0-440f-8af7-9184bbaac54f,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e54d822-cc4a-4b96-8f3e-4a184205dc87,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21114243-3caa-41cc-8a8a-884b7aa53642,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f69dfcc-703a-45c4-8942-ac1cd593aaa6,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff5c2133-f39b-434a-b263-0070d54d478e,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70af17e6-2ef9-4886-ac7e-3439d220c088,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e0cdc52-17d1-4909-8c27-90e337489629,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2632a3b0-48fc-4747-9b2b-0cd2a004b392,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fa54715-675b-4317-9c37-5c69f37f3f1d,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8d36229-919a-41b7-af30-3e1697c64203,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc6b4ce9-499c-49c7-a72e-4da1c2dc1454,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa4d7e68-3301-40e7-b466-7da2ecfd732b,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20e28293-2135-49b1-b5ef-c57d83ff1bd0,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b91944a9-bbb2-4d84-8bc2-903a4948a1db,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10604 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4e7a46fc-ca9e-4999-a02b-e7d5f6f79cc7,"4/16/2021, 8:54:56.996 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f8122f33-7b4a-4910-a1ec-36e9ccbb5500,"4/16/2021, 8:54:56.996 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27672e73-c604-4635-8df0-9f122aa92408,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac869467-0fee-4818-af69-85c29fcdaadc,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c279d06-3c2c-4ebe-8f8d-106216703dd4,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-503 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c2f04d0-3a80-4aac-80cd-bd00cc440aac,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-501 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad41efc-5aac-4306-bc27-3a3340360f03,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae65760a-95eb-4775-b41d-d668336e5d99,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-504 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3708047-97f7-4b6c-a62f-0195e10f354e,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaadf8b6-c58f-4205-bb40-a9dec39870b6,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16ea1d78-13ba-4efc-a58c-c4fbc789ddd2,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,284cab4e-972d-40dc-a69b-136058b63747,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6703d190-f9ee-46ec-8ec3-7bda939e28b0,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae1b5e43-d00d-4b08-882e-d1eba134c3ad,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7da5492f-b139-427c-8b86-46b8299b3cd0,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1e77658-8b35-4f50-ab83-23a5a79927af,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f666f7d5-e663-48c3-ae62-f8560f2565ad,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd2eccec-767e-488f-8127-d356c67ce213,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbe9a5ed-0ce1-404e-845e-038fef3dd946,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb65470-e8ca-40b9-9efd-77d5febb8dba,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5db9a40-8951-4f76-b08a-08c03677c5f6,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,443752fd-043b-47dd-87f0-3edb27015d04,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,af1118f7-74e7-4cbe-98d9-561e5d689375,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,0409e681-db2a-4a24-ad0c-c002dc4265a5,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6567d0c-c9a1-4b17-8ef2-2c7861ec1a14,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2de1308-6b0b-4ad6-9950-c20c7eed65c4,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac79adc8-7b0e-4b15-a1fb-4d0a9c3cc792,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b89a73fd-a899-42e6-a364-270c2a538856,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,aefa87b3-7fb4-4954-8b4b-4b212a7269d0,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1f7b7a4-1969-48c6-a456-28161df17fc9,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59f423b-87d7-4f86-8f7b-c99614e953ec,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3c9ca04-b855-42e4-b98e-d4481568a1b1,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f041f2f5-6d69-4dbd-8226-aa1c4322c244,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0eabeb4-c289-4671-807f-0367e34d59af,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e425c3f-33da-4398-a87d-879d9efcb86b,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,6392c84e-adee-42d7-8907-435d57fc486c,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a1b490c-c0f0-49a2-b887-748bd1746860,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,84cc5c7b-1d5e-412a-84ca-6a7ebb42c120,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c543a564-0a84-4483-a0d2-2e3a27e11605,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,46e1d3bf-cd64-40c8-9138-94c2ea874fef,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd2fb01-64d5-4245-99d3-984cb16e6536,"4/16/2021, 9:06:42.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8d94715-c5f1-4432-b154-49e554cba19b,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\O.MASSARIOL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6124ea-fac1-4af8-a6fd-60b7838d5328,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed6d9ab-a5de-4a50-97e9-cb3b3c879503,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3828 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa625cb8-50a3-498d-bd92-a0bebd1dffdd,"4/16/2021, 9:06:42.126 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6936bc8a-45bd-4692-a1fc-0c3fa8433ea3,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a00ff84-1c82-4f39-a138-83c1f207f766,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14aa4639-03e7-4c5d-9cb5-4eeb205ef1db,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80b17b87-5930-4b69-bda0-acf8821c10d0,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b36ce5d-32d1-46f4-9469-ae72375cdfb3,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,750fab03-23aa-4730-a41a-7c1e944dfd43,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d104f20-7458-465e-b4ac-4debb5b877f7,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2982f54e-fc48-4571-b543-adea86d5c9c0,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ec988d6-2ccb-4a32-8fd1-d58adf7edb18,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bcd08c0-9395-4d2f-bdf9-ad192c41dade,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19bb2410-94be-4313-adb4-099f1a65c1be,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2ce3c15-dd45-4aa5-91da-0c00b2347149,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b365d5c-c0a1-4fbb-93d1-355b9595bbda,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b3dea8e-d90c-4898-90c6-476ec8810c64,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd1ea56b-ca41-4a57-af61-e22b405afc35,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,365e699a-33d1-425b-947d-98e414f63f10,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\VIRENISANINJA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b4de2a0-44ae-4b98-b45f-f08f82cf9f67,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c62da040-83a2-4bd7-a705-5bec0a1e44ab,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,714e739e-133c-4853-afc1-8e5341701462,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c76d3fc-df8a-4899-ad23-37aee7d986e7,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d10ea13-f24c-4692-a4f6-2efa852f6db8,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,760abb75-23cb-4ad4-bba2-d8b135e21b9e,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b7866b9-7c22-42b6-aae2-125d727c493b,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82ad0c7f-e543-451b-90c6-185ca73f6657,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d0df2955-1f08-4f34-ba5e-27f0b34d93e9,"4/16/2021, 8:55:31.426 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a5924f39-2b05-4406-9281-1ba33ee7366e,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6528 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,29b40c49-cd50-48e4-975a-058c8cb6a1bb,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3148 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c190b6d-8dce-4fcb-8ca7-7eb6934012d4,"4/16/2021, 8:55:31.426 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc46bbf7-dd59-47b4-b763-99172d28c4e1,"4/16/2021, 8:55:31.426 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4cbff5c4-f873-4b89-bd17-4fdda64347cf,"4/16/2021, 8:55:31.426 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5af8413d-71a7-4030-b0b5-a3496bc0c4ee,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8048 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e835810c-8888-4f2a-87a6-e3706627fadd,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5944 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,07ee4315-6dc4-4f7f-b529-1ede22ad0b5f,"4/16/2021, 8:55:31.426 AM",,,,,,, +\OVV,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,09335862-9533-4cbd-a73d-71d5f7b4ae87,"4/16/2021, 8:55:31.426 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dfd49504-62ca-4186-abaa-27ebe27ff8d4,"4/16/2021, 8:55:31.426 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,872c6593-a172-4555-89bc-4ad659fbcddc,"4/16/2021, 8:55:31.426 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5784 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5f6b063-4761-4119-bfe3-ff8ee02b8e32,"4/16/2021, 8:55:52.878 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,73086ed9-e27e-4d99-a1ec-4ec4508b7ebb,"4/16/2021, 8:55:52.878 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8cb950e4-301f-4a51-a3a3-02e6317c79b0,"4/16/2021, 8:55:52.878 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9ce150a0-ff84-438e-9984-a22f401a89f3,"4/16/2021, 8:55:52.878 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9ac2c733-83ec-4433-b896-933d531d622d,"4/16/2021, 8:55:52.878 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2472d7e2-361e-4b70-820d-0226bef0b3de,"4/16/2021, 8:55:52.878 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,20d4e22b-a1af-4d6e-ac37-ba93475f64c5,"4/16/2021, 8:56:08.196 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,aef1a254-3db0-4613-bd72-e0c5fb04fe8b,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7c8e6d08-601e-4cc1-b5e9-ea1981d70869,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bd62ed39-33f3-4908-883a-889e7dce139b,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,510fe15c-de4e-4e88-8e5a-824f920e7daf,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1ab7756-fa12-4f83-acb9-83bd8dc39906,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ff6387c-4379-4de3-9fba-1cf9dedb6bdb,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53808c42-2855-456c-9257-b5fa5a11d5de,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9b924d5a-e6cd-4047-96e4-8c5e057d679a,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ca7d512d-48a3-463d-9c47-a3071123c551,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ee3916b-fd59-44b3-8f08-664615e30fb8,"4/16/2021, 8:56:08.196 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b77c5350-18bb-4294-accf-57d7becb38ab,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c38eb0bb-7688-45fd-bfe6-74e8286b66ad,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11062fb3-d699-49e5-97ba-b02f5db9b1a3,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58782831-0a1c-402f-bcb9-a4e909670970,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,622b8667-0058-4368-975d-a38d1d354ab0,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17bd34dd-370a-4ae9-becd-e48f966743ef,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cda258e-c6c6-495f-802d-96578268639f,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,154e4142-f9aa-4544-a262-1ae659b48106,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3654f882-b87f-430d-8e87-4d61345259ac,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdbe54d3-9d73-48db-8cfe-2c3fbc6e2ec2,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86ebe3d9-88cd-44db-824a-370ca9b7b672,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35d63d61-8837-4ceb-9928-7cb64681dd61,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f42a91d-11fd-4c37-937f-62c54028f2c9,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2043f704-c704-4038-817b-481844b8b378,"4/16/2021, 8:56:08.639 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,048b013f-c1c8-4624-a0e8-a89a9a550bfc,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc41c6dc-60bf-4033-b769-5d9312cca372,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3d1cf97-3449-4565-85c8-6cbb4681953d,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49b7dcf6-fdc4-441d-abb0-368e141da080,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdc8b09b-6e8a-494b-82b3-9566df710204,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab434971-9e36-4bbe-80f5-4680f6c65d67,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46484012-67d9-40a7-a7eb-a1e1d3759484,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fcc03c9-30b0-40fb-bec1-2e576969854b,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,c510f667-b420-4073-b8b2-5a30b9bef6cf,"4/16/2021, 8:56:44.863 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abb10d9a-b976-4765-8886-41be8e63b8fe,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8825c14f-db2d-4a62-acdc-f6ffc879a553,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e852684-45bd-47d5-80af-a81ca8470c7a,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,431c678e-b9c0-441e-8b4d-caff89c23e59,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe32e6f0-ea76-46ea-9d9e-491389249c19,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb5d9cce-6752-4e49-a421-0699db9af325,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,584a065f-8990-4fac-bff3-52fc4f8cbd9b,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab24bef3-6a65-413b-b309-decd7d6c2d46,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a30ed30c-d981-44ec-a99a-26c7869115a8,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,312d52c9-4fa3-4f5a-ba15-5f98a74d00de,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4205576f-8785-42c9-8c50-8e41638e03d3,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\ASP.NET,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c06de68-6daf-45e5-8c82-da61b58c0f06,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6594d34-325a-4b27-bce7-45380ae229d7,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0056dc1b-8a1a-464f-93d0-475c9de8cee1,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0eae43-97ee-444c-bf6c-bf2383481283,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,043bb1f1-952f-44f7-9370-24f81e56255f,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18d4699c-6b92-4c1f-9518-5db9e22c912e,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da198e01-0774-4592-acaf-188408ce50be,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f6a4b3d-c6dd-441f-bd4e-0698c7279db9,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9683f00-c7b2-4201-934a-dbae02765bfd,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3217933-6422-4f80-a707-557f6cf33588,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a3129a7-a61f-4244-a960-7d5003de7e2d,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8431d56b-4392-4fc0-bde6-45af56f608e2,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2f8dc243-9507-49c5-8bfa-a01e1fc54028,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f8327b6f-37fa-4263-8e1f-ddf41e87a566,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ee8faf94-c880-4076-9cde-c2c74906f8db,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9e06934b-fe2b-4374-aeee-2fe2b43ad564,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f98f749a-08f8-4461-ab1b-9ae6737522c6,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2691a3f8-0ad8-43b4-9929-edcbc9b7dbea,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8577d159-2f37-45f1-a1d1-c0a53d85321f,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,da8b5adc-6b1d-4eed-b79f-c7294d5dcdb8,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2bbb14e8-26d0-48c9-bd0e-aed6ade2c3f0,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cef56503-f52a-466a-b183-6dce36625de8,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,696f1eee-9eca-4a96-bce3-294797c569f4,"4/16/2021, 8:58:24.053 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e79006b-f8aa-41a5-a130-0f3c0d4c28c3,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abadc246-b5c9-4f9e-94c2-f4644558fab3,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84ede4f9-b229-49a7-a8af-433fba852f05,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb0ba9ce-23b3-4803-b461-a553ba1586cd,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1c5455a-2dca-4316-8cd7-5be6ce0a625f,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e945191-a4d8-4f8b-9e89-8cce7f4e5698,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23a914e7-cd18-457e-bb19-963d23600e21,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e1d91cc-c4f5-4895-a565-88c7f13533e4,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ffb41b1-6f37-485d-bce1-a2a5684688d2,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fbde216-73a6-4dc0-a9a5-f8d935cb7904,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,524df82d-f84b-4743-9c2b-3ef6c412522d,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95259fe4-f5c8-490b-b3e6-a7b8521cd77e,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6643c04d-d737-4819-a685-666cda864cba,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fad7ca12-ac45-4dcc-8a92-72340932cca6,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bad433a-79ff-4d41-ad64-18cee3f7d576,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,797681c2-f7d9-4c28-bb6f-002c0050ffee,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d41ebb8-611b-4c66-902a-d3bb4ff053a6,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd15b873-021d-4e40-9e45-d4ea2e2c688d,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd326ced-c0e0-40f2-956c-b84b6b1a0009,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b226ae-158e-4d9d-b2aa-0080b3b0d7a3,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2625b9b7-ea7c-4301-b820-95c8032268e7,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db36049-3b02-430c-9ef0-fa4642deea7b,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17a018a6-e3cd-4e42-9e71-00aff39a2b99,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\SECURITY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4ffca72-6b57-43ae-b7ce-3e2744a468c6,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37669441-47b5-426f-8bda-d9452a19342d,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ddaca8c-da32-4315-93de-fb9ad688df70,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc86f3c4-33d3-4014-9021-78bdba95972c,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac964cf4-f2c4-40ce-9de8-607eada06a6f,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ed54ca0-1644-4961-a8c4-1b1e18508434,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7903c535-dae2-4ae7-b81a-2b34c2b77b22,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,badfa633-85f5-4501-9ae9-b80990271c42,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c74a3a76-8378-462c-97e5-9956910debd8,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7342bb83-749f-4a95-a0f1-786edad5da8e,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4d12c05-8691-4d38-9ba6-8b98937a4e07,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c7aa7a8-12fd-4c4e-bf95-e53a37693e26,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe5536cf-c487-492d-80a9-be10cd047e45,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f593829-ce28-48aa-b8bc-025ecfab7f18,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0e6a7d-3c92-47fa-b7a6-86a047f066d6,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dc82994-f027-4806-9f3b-84f7c4f45760,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1f57107-f709-4bd9-b1eb-267c28f971e6,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8d75897-bbbd-4072-84bb-9f6541f106f5,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39a89257-7cef-441b-86a1-4063db692d8a,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\EYP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c162148-136a-439f-9266-518be2279f46,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1be014dc-71ca-45c6-b730-2598ccf943a0,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3cc10cd-3823-4a85-bf29-f823af300854,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35b17682-7e60-4976-b70c-cd7ca2bda865,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1200 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a18ad1d-a39a-48f4-8266-e7f516920266,"4/16/2021, 9:00:39.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5480 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1b978ec-1616-4b4f-ab36-a720d51f6d7f,"4/16/2021, 9:00:39.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7516 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff7435b5-2a20-47cf-87ed-3aa9bebd484c,"4/16/2021, 9:00:39.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a978d3a-1196-499e-9a7c-55ccc8bed36d,"4/16/2021, 9:00:39.116 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,d304c97a-9572-4ebe-8d63-863b9ab55bca,"4/16/2021, 9:00:39.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,480030a4-3a40-4ead-afc7-000c917e95a0,"4/16/2021, 9:00:39.116 AM",,,,,,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,435d81e1-001d-4122-ad7b-db48f857c723,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,708f7cfd-057a-4363-83a3-1c24fdf5aa89,"4/16/2021, 9:00:39.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,704fa657-2e29-40d2-a5a5-5abb845b436b,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0c41d1e-1cc8-45c0-b1b9-6a5c3996aff8,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2668241f-0c70-4ee3-b06d-4dbb5e5c1fd5,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34aae841-1931-43f3-8acb-dded08967fb7,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d77ccb72-f89c-4528-abfb-d8945741378c,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3603238e-cdf0-4159-92f3-9ab442edf401,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad0a6a6-cdea-4910-afbf-ab588416fca6,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb472256-6d9a-4396-bf6e-08701207f30e,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b72846a-9e28-4456-ad84-614c845fc42c,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2aa7e53-6996-40cc-8fb1-8eacc99f73de,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85fcf148-c53b-43c5-b0f2-2e77cb060968,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c77c44c-a30d-47ca-b806-d676bf3d7771,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dff38ab1-76fe-4677-8b29-8bd6c8c4923b,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d7f3a0-5d00-4c1d-a15c-c13025d40f56,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1ecb2d6-2592-4a55-9080-91c3bd54e048,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8de93637-4af3-480b-8df0-08f7428dbaa3,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99472edc-0580-4d93-a0f3-4c7d917307e8,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc196841-339b-49d2-bdd3-25a530cdaa3d,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e07910eb-37b0-42d6-bef8-29a3c9c572d4,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3757cbff-026d-470a-9900-d12a4f4df2c8,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,733ec342-3724-4b53-96b1-42f34fdc174c,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0072c83f-9598-44f5-bbd5-2906572980b7,"4/16/2021, 9:00:47.416 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bb0f27fa-58db-4b87-bd0e-2b25cf3f52f5,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3428adb5-e005-492d-8e5f-e7e99b90dcca,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4e1892be-0eac-4f36-a99f-7f00cffe41f5,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d83c487-bbc6-4cee-b7b2-6b918732edac,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,028ecf01-7d6d-4356-92fe-610d7baf12af,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f28761-e408-4fe6-8c2d-c971df65bbbb,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8ad944-aa41-4490-9d9b-3ce44f06424f,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a8d47e-e00c-4e72-a8ce-86f7f82ceac9,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c7f9f74-771a-44bd-8452-eb1be48194fc,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fc98f1-3ccd-4698-885e-625ab94e0092,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ea38655-d212-4438-ba96-5cc206a15561,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76e7b91e-9b66-48fc-b77f-b58ab0e1713a,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e17dd07-b158-4e77-b262-7cf9b9bc1182,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64e731cd-2f66-4e92-a63a-53821d6f3020,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4739d9c8-352e-4019-811f-13957025b2cb,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dd64cd3-7633-4eaf-9687-a29f79413e17,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3bfac3-ec25-4f6b-b152-91173d615580,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a049848-d5c7-464b-a93f-01f945a3742d,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b235de6e-92c3-4f5d-895c-90e89228fe7b,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a90b88ec-d29e-4d05-8d49-70e457cfde6e,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec37daa0-b021-4f84-a6fe-a5d62c8ea73b,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9349fa68-2ef2-4397-adb6-64a72cb52698,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b71e978c-8caa-40fd-aef1-3ef8a7d34fa4,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6401c3a8-bc66-4a54-ac0a-4ea1a5b6b598,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45a8b205-8922-4054-967d-05871441cf94,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef6f411-cf58-467e-a1f7-ac1bfafc13a1,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd76e29b-4637-4d66-87a0-ef5c176a478a,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3994f541-5476-4b6b-90d4-0e642a917d3c,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cfc07df-2f68-45c6-98b1-71eb62817880,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1f08136-8c8d-485d-b649-c55cd0e235aa,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66b6ab7-346a-43a1-89e2-c82d1aba2769,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99bd1ed8-b43b-44e7-92a0-bc5f55403e02,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e282504-8b6c-4450-ac58-d4557f2482d0,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcedcd6c-1453-49b7-887b-477975f4c945,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,874d9df6-b9f9-4c26-8c66-389b6360efa4,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78925d7f-09e4-427b-8d44-31f082e7ea65,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e444f77f-38a0-43db-a128-a6d7d486a350,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c79748d1-97c2-43fa-af7f-8690fec9ade9,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,508fcf5d-e205-452f-8278-a80cccfa45e9,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a47cd27-cab8-4bbc-827e-0b990ac29d2b,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aea6e066-c3f8-44a1-8ced-428a6c192ac0,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab32a766-97a3-41cf-b7fa-62073f44ec32,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c32d90d-bc2f-4e9e-8cdf-9c50c09b39fa,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ab00129-5848-4b0d-8a86-43406ac1eb41,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae480a6-89df-4174-a558-f641235476ad,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,284a61f1-51eb-41c7-85e4-cc4fad3d029a,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a71a3a-e699-4942-9e37-16e4f7df764b,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a2c153b-ae6f-4e4d-93ce-af3380179ef3,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5c20f29-6363-46d8-85a8-a0ae53ce2b18,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58f9835-cd07-40f2-b111-12010440d005,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6970b5dd-01e7-45d3-b86b-31312f9796f6,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,711a21fd-807b-442c-8bd9-dcf4dcf996b5,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aea920c8-353c-4e74-a79a-39b2ff9ce2a1,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ba7c5f1-b7c9-4b94-980c-a5fcdab87cbf,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626e3446-f5fb-4060-80a6-51db1b3225d3,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1af038fd-9c1f-41a6-b124-cdb008121b67,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcbb2bcc-f0b8-41e0-b564-126dfba2c805,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e849f6cd-32c7-43e7-a428-1aa6077dfd00,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8ff340-e15d-47b5-b9ce-0e68235852de,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,729825aa-bb91-48bc-acd8-bc8901ab620a,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c989a804-ad65-4666-8ca3-f713d051d250,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e846d0a6-837d-4ad7-9238-ed81656fb1eb,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,201364f6-c348-42b8-af2e-07355a404e3a,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc28c7d9-8d60-4414-8b98-8c0db40e0a30,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9792d8f7-fa61-4b60-a8c1-3e3c490536c4,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ce9ac67-f88d-45d8-af40-21a5315bd45f,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,751d8e17-fd13-4450-88be-4f7178f30d87,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bffbeee-6300-497e-8a8b-8d587d32bb40,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d0f3081-42e3-484b-afbe-ea15f2d58383,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8ef4095-b72f-476b-a55c-716a06d37361,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c694bdd6-10b2-4f4b-a1fb-ca1a083df9f2,"4/16/2021, 8:55:20.114 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,50918329-18b8-4e62-8759-412ab0988d2a,"4/16/2021, 8:55:20.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d87cc64-0e71-47be-a42d-8611143571a9,"4/16/2021, 8:55:20.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8401c7-529d-4972-8f8f-5ad829528ba4,"4/16/2021, 8:55:20.114 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,2e1e005b-8ba1-44be-b07e-f4437061da9d,"4/16/2021, 9:06:44.892 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86aa35c3-aad5-4747-a104-1eb99fd563e1,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5f67b4-9c53-4a25-af23-ce30db050895,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e502e948-f370-43ad-8504-288c8c9d6ac6,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4585c2d-36ec-49bf-9a2a-0b42c737525f,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa8ef9f-f769-4dbf-9ee6-8f5469536200,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8135d5-935a-4eb4-90ba-50712950e678,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32c4c28-a359-469d-8aaa-20ab7408a828,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59206e7e-7316-4f17-9d35-7e2fa1ee086f,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e433161-2300-40ac-97d3-3fdb82c8bafb,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44abc2f9-9e73-459c-8263-54b146d2c843,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,374cde16-d9ee-473f-969c-255918a0cea2,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,491e64d6-54cc-41a1-a886-8fadd9d1979e,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,941e6d76-217a-4ee7-8496-1875b779a7fb,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b19604d-a9bb-4552-bad6-86c0790542d7,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,382f262b-b11f-4e56-934a-bd6f8b8c4aa5,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d9638c3-774f-43cb-852b-d1bbcae492cf,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db527810-2ba6-4863-8a20-86874452c7b8,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859cde58-bf46-4fb2-8d27-b87609e97963,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeffbd7c-8c22-49ce-8930-9800f4439102,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a93b455-10b8-4574-89e6-854a664b627b,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db2c879-36b3-4714-b83a-5f1bb9d066ad,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,963a092c-26d5-4366-9e0b-5a79129f575c,"4/16/2021, 9:03:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2decb642-dd7d-4c4f-8068-f33bb142c9be,"4/16/2021, 9:03:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6584 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,49361f33-e364-433a-aa3c-a1ef17259020,"4/16/2021, 9:03:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,273d2bab-3731-4f61-b532-bc9571ea31bb,"4/16/2021, 9:03:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ed7292-8c71-4bbf-a205-6d96ef2313b7,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6ad6db2-fb70-46b3-bfa3-af91af3bed88,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d094680e-f4d3-49bd-a2f0-70c652419ca0,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b3a277-f944-4d2a-950a-060a0719ecf9,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcf18f02-6799-4a69-82a9-c8c41b85656b,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42028e5d-2754-442f-a5a2-d841713fff19,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca27f026-ff12-472a-8ad8-95324c0da02e,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0344ca9-12b2-4cd3-ac58-a3f72a815125,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc2966e5-ca24-4746-9ba2-da264ebb648a,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ed4893-1c23-4b52-8a61-42a25c663b47,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fee985f-a728-409c-b081-31ad4eaef913,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12006c2f-ac25-490d-986c-889dcc832db7,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f586130d-b6ae-4064-94ae-7ef9ecf340b7,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c993d6a-0a93-4fcc-a5ec-f85e93115186,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a50a6bc3-54d8-4607-9523-4e1a5dab5df6,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,980d1f75-dc6a-4a2e-8837-48875c34bdd4,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8479b69e-3b73-444f-b5c7-3fa1746d4a91,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f681b71e-8441-402c-9514-ea9ba82a4ffd,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3ba76d1-6eb9-48c2-b6a7-0f6c305bd860,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8065b67-c2f3-41f2-92b3-818188ac612e,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62a31ef-f848-40c8-a5e2-10e7f0ccec61,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0208d616-a70e-4a55-9cc0-05409955822a,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9867b2c8-9279-46fa-9392-e3c4f6de35eb,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5225eb7-1483-4e61-9fc3-a10a72a748c2,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0acacdf9-5006-4cb5-ae94-749bf196c74a,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edf4112d-4f1d-41b1-915f-ba26b9cd5583,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ebb92d4-59d3-4aba-ae97-cc0def99c726,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2afb4ec7-65bf-4c0e-8086-bdd434bf3cb8,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8569a8a6-20fd-4dfb-8fb8-e36470ff1302,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ee330f-d085-4cc5-aae6-0e4043153f61,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb91e3be-f9c8-46a9-983c-6610a43d0853,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bffa856-5873-45df-b3f0-8f3260c25f46,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc847fcc-fdeb-45e8-8497-f89a441e24d8,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64edaf6-413c-4bbc-9426-e3db998a8610,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,988b3c8e-0f8d-405d-8d95-1a80cbb174ec,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c25f496a-9648-458c-a91e-bc9b13014db4,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c2e2966-41d5-416e-b831-921ad2fa204f,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,809b10a2-a0c6-40f3-ac55-6745b57a5759,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f48e263-562d-4a0a-88fb-ed21901f8b84,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,853d495e-37b4-495f-bbe0-0267c53ceff6,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9ba1ae1-9668-4cd6-a0c3-715ad88bc593,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693c3305-341f-46d0-b128-47a545a9d330,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0b722bc-249a-4af5-8c0d-76e8ff5ae4d3,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9fed132-09df-4ced-90da-e57180a162be,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dfbbb4d-5d21-4135-a9ba-4539857cf9dd,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06ac1aa6-80d2-42d3-af29-27edd78cbc99,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1587c1c-dc6c-462a-a825-7e97515e0991,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,657e9231-e160-4b0e-9a69-83ec8283a803,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f6c3c4a-744e-4460-a703-b3c9b7424e9e,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1760375-1b09-43af-944f-0bb60e091bbe,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4007edb-f78f-4630-bb68-a79277b45df2,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a295c229-89dd-4c87-95f7-cafd89b49c11,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65ec68be-cd02-491f-99b5-49243c58b7a8,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db4652ce-3f5e-459a-b6bf-9855aa97e70d,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b6df9e7-01a6-4e14-a3b9-5eedc17a850b,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\ABUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08402ae1-f707-465a-847c-a617644761d9,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb44eb8e-9e4e-48f5-9c8c-15b38da09e97,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db0e47ca-2b9b-4e7b-8303-1cb12bafa5dc,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,028ba333-207e-423c-8d26-4d8b6a6f378a,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4be172be-bc19-4bf0-8351-1186bd31d1b2,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a34cec2b-3991-45f6-be1b-e79bfa864f19,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8340dc2-219b-41d0-9862-bd77ac76554c,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,381afff9-437d-4f27-b7ba-730d0c602455,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71b742ff-8a91-432a-b7fd-ba4608ee361f,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a01b65f-0bab-47b0-87eb-6f32cfd3a6e7,"4/16/2021, 9:03:55.664 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,086269fe-dce4-4ea2-a888-958e8406e789,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ca72953-85bf-4f4d-8dbd-99670c58d99a,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85319120-23a7-4dd0-a03d-9cc370bd5f32,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3fe0dd9-1c50-4dbc-a4eb-29d868d135d7,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a6a970d-42c9-4649-8489-47d4f86cb9c7,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099f2647-644d-4a86-91a9-a08be6f194d5,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,692ab4fe-08d5-4b38-82c7-776a061001fa,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77504ebb-c1ca-460e-8a50-848509c0ae6d,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd20fcd7-4926-4e95-ae10-80316ac5d0d7,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a8210b-b566-4062-8ecf-2402d5453f08,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87ae470-1b0f-4f6b-9f7f-770586c842b8,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0358a7be-9f32-454f-967f-a522c01e64f4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02ac157c-a947-4440-8304-1269fd4c09bb,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adef5667-7204-4743-aae9-b92b6a178c40,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb6ad013-9481-4ade-b6e9-88e61dff5be2,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b71e0e47-a6bf-4cc0-96ee-d66f255c3344,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e98d16e3-820b-48ee-bf07-1f9a4f896236,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\SYSTEM32,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed1ccca3-d30b-4e12-9448-11d27250c2d4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f752642-1b94-4106-974b-646bea6e4ced,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,689d1e6f-4ddb-41a3-b2e3-e1a1ab77f174,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7db89ea0-8b1b-4534-8c12-d5d2f4c019f7,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c198d60-b68b-4ed2-8b7e-2e4a5bfae04d,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20971a88-2aed-4fde-af47-0aab97938e85,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f57c54e-a0a5-41c8-a052-ec72bfd6dbc4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c54b2d40-d619-4438-9809-f8fdc5f1e7f4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c40160a-592f-4ff6-b1a0-ffd3938ada08,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d4b23fc-fbfb-43f6-b723-388b8d14e36a,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d6c0fe2-e99a-446f-bfaf-f1b254f86fb8,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a73f93fb-d3fd-4028-a9d2-4219467d6366,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,864741d7-b965-4d6e-8113-5c9574910271,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\TESTUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4e2928f-a430-4220-b9b9-f1678d8c9706,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,75cc6b6b-d25e-4825-a517-95ba907dbf9c,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\SCAN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4e9c379a-ca69-46fa-a029-a17b16a44fa3,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42c2056a-a65d-405c-bba8-25f0f8b321ee,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEFAULT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,955060fe-f566-46b2-959f-04342691046f,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1360b14-8ef7-4783-a6e8-8876f406a06e,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEMO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c5e2b182-eee2-4a70-9199-6538f4b03368,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc7d0b1e-a391-49a5-b95e-244cea0a0e2d,"4/16/2021, 9:06:13.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4864 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2537209-de7b-4aa4-9541-87238f87b5a5,"4/16/2021, 9:06:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12e2fee1-1e8c-4c20-9232-0bc240812812,"4/16/2021, 9:06:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42aba100-469b-439d-a9f9-0f1b4e7e0884,"4/16/2021, 9:06:13.408 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5972a6aa-48ad-4f80-889c-5257fb33ab9c,"4/16/2021, 9:06:46.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,95d04633-8c79-45cc-9e00-8a12659df72e,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3564 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94c8694d-ab7c-4ae0-9c34-e613ec26280e,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5528 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b1e387dd-2b8d-4dc4-be9f-da778def0407,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6544 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8a3e2b4a-a50b-4915-82b6-805e31dbb9bb,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4828 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e428240c-6058-410a-baed-27778f69972c,"4/16/2021, 9:06:46.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7b9f9043-6a24-482d-b387-2d64f3e6f42c,"4/16/2021, 9:06:46.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c8d3f887-40c8-4eb8-955c-a7019aada3f3,"4/16/2021, 9:06:46.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6de9cbba-50e5-4b2f-b394-e4bbd2159f16,"4/16/2021, 9:06:46.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c2245458-bdb9-4326-9dbd-f499d572777c,"4/16/2021, 9:06:46.739 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98f0b791-96c6-4a46-876b-aec0d65faef0,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b43310b-a39a-4edb-aca7-5b0a5ccbf37b,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c34bed80-f625-4f76-8db6-35956be388e5,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db153176-1588-4e2f-aa6e-658accabe832,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4a33202-acad-4bc1-9529-f999f5800e1e,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55921359-b536-4eb0-9aa9-2a3e698139f6,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d8cfdd5-205a-45f5-b439-31d31929ef89,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec753c6d-f3ea-4558-8ba9-aad7fedb8364,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89ab217a-3865-4d36-9965-47ad328a8787,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0640e3a-00cb-4b94-b007-79fe624b1024,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac34aada-4ce0-43d4-b83c-e43dc1af7611,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e63bd661-593c-4587-883a-a51fa0ba3a01,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78c4fa9f-6ca9-4615-b3f8-795a1270af2d,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a00db6f4-fcdc-4027-907c-5c0d7c9ca395,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ed21174-c8dd-4e53-ab15-4f8fc8b34648,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f0de81-34f3-41d1-b3aa-99bae95a79cf,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,296586c2-4eaf-4249-b67c-e10b3274d221,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef98133f-21a8-47d7-93db-6624b46ec691,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0ddbc7-c5d3-4bb2-9af9-c544aeffeefd,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3945aab5-87ac-40dc-a1a0-c7629a329a3f,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cffa9956-9086-47da-8384-72e6dc132680,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34337def-c500-4e21-a2fd-9e95cb9f5abc,"4/16/2021, 9:06:39.133 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fe39d87-f593-4f1f-92da-154369b85e41,"4/16/2021, 9:06:39.133 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bcb634e-d8e6-4558-aced-a4d821cefde7,"4/16/2021, 9:06:39.133 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d843955-ca39-42d5-a7d0-3d5356403efa,"4/16/2021, 9:06:39.133 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7664 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,19987f3b-3f01-4cc2-8d19-07541a648ac8,"4/16/2021, 9:06:39.133 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6444 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca5860c-b6ea-4ea9-8561-5162f9ac8ae8,"4/16/2021, 9:06:39.133 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,465ddac5-eebe-4e57-9cf9-f15de0ef958d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c07de57-dcf4-45af-a745-ffaabfd3a6b0,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,234e6ac3-b9c5-4dd8-9448-41a8dfe4cd1d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ffd5f9-303c-4b41-8658-fb445c370ed9,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,9d95329f-877c-4e5f-a4d4-a9373df4993d,"4/16/2021, 8:58:37.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,227a60f0-b641-450a-85f1-d1532950c2bf,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a092132-016c-4274-98a4-9d4ee6c568e3,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b825991-1f7f-4e56-9eb3-43cd293c417d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc409a66-b589-42de-9bab-cea13013b142,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7083106c-a700-44a2-b5fc-17ce16dfa148,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9097a81c-7fb7-4746-b3ad-ce17fa697fde,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1536f7dc-d96c-4f6a-84df-0080b21a479d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1533fa-3487-446c-ada9-7abb8167490b,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dba5af7-6ab0-4d2c-a0d8-c9af0cec8337,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde9f68d-f5f7-468c-a55a-9f0ac2807d59,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab4f44de-7cd4-4312-b728-c9a7f5cf3f82,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,772b65ac-d407-47ce-acd7-dd3331a1c369,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6898b852-ff17-4e92-8916-26bd6280c39b,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecd2ddba-39fa-4f94-a142-240fe7f5b015,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67a772db-e98d-446d-9458-002fe10f655b,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83dc4b73-3d0b-4704-82ed-db0935dbadb7,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e58451-7015-4164-8f3c-36ee217d46f8,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02121598-8c9c-46c8-882b-d69fe793019a,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07475d5c-e9f6-4c3e-b44d-77d0be7bd95d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf690df-9807-462e-9528-9d7dcb9d39aa,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f907eeb-770b-43cd-94d3-9a5c0fdaeb86,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ea7b87-b037-429a-a5d0-bdce0a73f979,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e3b5dea-defc-4e96-897a-07b2fb7c4e1c,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b9666f4-897e-4bc8-a4b4-5beef6de8946,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72a1fac3-6b21-4bd1-8b73-a1df21fc860c,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cbf069c-c20a-4474-b3ee-f6c855fa3e65,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59ee3d8-e596-4dc7-be69-13212ca21091,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14e6925b-3c8a-4c57-824a-3f57f6931c06,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91a8d261-1b06-4ed9-adc9-76155837b20a,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9ba67aa-a887-4441-b083-5b2c6489b3f9,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5aa50a20-218c-4d15-bbfb-29da75ead4c4,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ef3021-5057-435f-a1ec-8c26eb4048ef,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a78889-09b6-40f3-8e7f-10bde28c422b,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,823c42de-91a9-4bea-8726-68f89c13748d,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,730edc9f-eb7d-4265-a538-aff78265e905,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f1a422c-6090-4cb4-abab-9bc7659e550d,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,036ed2ee-79eb-4390-9d5e-2867692a6083,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36083c32-0878-4de5-a4f8-5350fdc0dab6,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5018e4eb-7d59-4e23-8e9d-daeec2e77404,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a1f1d8d-7ffb-40ba-b2b4-319028bfd287,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef0ee1f7-6dc6-4cd2-92b8-dc8eccf7bb22,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e24aadd-b0ae-46c5-890a-22218152eb15,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c49b07-6f6f-4afe-bb01-079df9d396ae,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06fb2519-b090-4e5f-a397-4c9541ff6306,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e05fff-d551-402b-9802-d93dcc6ecc03,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4987ac7a-6cd7-4fa5-9867-da5c841dd29e,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66e088ee-b3c0-4090-80c2-b91cb93f8584,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8f4fba-56cb-451b-a3e6-b24991580103,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb51ed4c-1f9d-40d1-9a46-83ca2735e4c5,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02f913af-425b-4bf8-b1f8-3e9bf6f67234,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daaaeb09-2d0d-4cee-817e-0e8a1544989d,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30746bac-b639-4d33-9b39-b252069ae4d0,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4750045-46a9-4981-81bf-f433f5d20da3,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ee8a95a-ee2f-4526-ae5e-ccc6a1104de9,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e03a24f-1619-42a7-aec1-214f5f22f8f5,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fdc355-7d18-4018-8713-88f80f9ca00c,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d621d5f1-d24e-48dd-a683-d107b9322757,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,834f0285-76c9-426f-b837-c055ad31a7da,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdc52105-2935-47ca-93ce-cdd16248d150,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97b4cde-6e4c-426f-88c9-cb7cffe87448,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6581490-70a3-4711-977a-39320a9e2fc3,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9f15ee2-bb4e-43cf-83d0-ebda86163945,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b984c69a-01f6-4cae-86e5-7c9cb6007b02,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c388ae-c15c-48d3-b9c9-1a243d5b8410,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aed7a22c-65c4-4b65-aa01-281490e91378,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caa4890c-d36f-4581-9797-1d7488f4fe39,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ce1bd4d-d647-4a0c-b673-3261093a1f46,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3f095f-a0b3-4528-8b93-9d222bf30814,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\USER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,52150d89-806c-4668-987a-dc87855bbcd3,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ce02486f-c294-4456-8514-801bd75d45d9,"4/16/2021, 9:06:48.418 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1d7e27aa-a3eb-4dbd-9188-af7fa6056cf3,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\USER2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a408b718-93b5-476f-b073-80d7b66a0331,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06f99f22-87f8-4c5f-9b1a-cab4a3f6ac96,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ce8d3c7-85ea-4938-8bdf-dceb80d218d3,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,15ef9fd5-af8b-433c-a768-7a495a926027,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d47280fa-22f0-4cf9-9e0a-015795aff71c,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f42311-cfe2-4a44-8a8c-e26b5cc8c27f,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84516b2f-94b6-4da0-ab0a-fc1e04e7647c,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb34ba76-ed68-455d-bc4e-a01f416a23d0,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f9a145f-15aa-47f6-a47e-e7a5095ebc1f,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,156283aa-4776-4358-9591-956a27e049f1,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07afe084-69b0-4239-9810-5407bad70149,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f27482-96b3-4ef7-83fd-f1279cbfb3e8,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,120ad440-f31a-4f09-9121-4ee9229938e1,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92085c90-1699-45fd-a52d-460154842887,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac9cc131-411d-4e60-877a-52f66319c7a5,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd577be5-9206-4027-9aa1-514977c97722,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\EYI,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec99eb62-1d57-468c-a657-2c251926f755,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6294426-da1c-40a7-8fbc-849155fbc1cf,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b091aa05-895c-4c73-814b-5cab0e8e16a8,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73cd7077-d26b-40ba-b955-b3162d1d43bd,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08b9f118-5e2b-4957-b1e6-bdddc1a03586,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27dce689-b6ef-499f-b127-024535f3193c,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\WRADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39578aec-e0e3-4c98-9e44-1bce18403425,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a4180fc-9519-48d6-bfbe-97e2a81d6041,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\BJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76343f55-92ae-4e70-bc62-3051cc0be976,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8002e017-5ba9-4bf4-a933-afaf4fd84e08,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d772af7-226d-4037-b4f6-b2460bd36773,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ce8f58b-dda1-45bb-81d7-2aa6eb6e4d67,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,137a1aa4-a1c8-4964-8be8-c6fcf4a015a4,"4/16/2021, 8:55:31.858 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,17f6ff4b-6a0d-4052-ad2e-a094fc068ccb,"4/16/2021, 8:55:31.858 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24171286 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e524aab3-156f-48c4-8e36-ef428e77c8f8,"4/16/2021, 8:55:31.858 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b6e8fc2-8c3c-4c26-8acb-a138b1731bb4,"4/16/2021, 8:55:31.858 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dcfa689e-7797-4085-a096-3078668b2b63,"4/16/2021, 8:55:31.858 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,910cf79e-3ced-4c33-99b5-ef641f14dfb6,"4/16/2021, 8:55:31.858 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a49ac29e-3053-407b-a726-7fa9c3017b11,"4/16/2021, 8:58:44.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5240 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6b9e862c-9ed1-41af-8d04-eff18fd6fb84,"4/16/2021, 9:06:56.987 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,517733ba-cf0b-4913-8d99-faab9ae041d4,"4/16/2021, 9:06:56.987 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ffd23e2-24da-4501-90e3-fdf82292a359,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0155afa6-0a56-4f49-9cfc-1639c549ee7d,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a92953b-9569-4a0f-a54a-3ef0049c0e3a,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab338903-e0e5-4fe6-afb3-7e5230956cb8,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06bf5047-160c-49b0-9ecc-12f9b846b0c3,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41da7fc2-6890-43a2-9760-5405b33ceebd,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,164f10fb-5a65-4e2b-ad25-61196e9fcd0f,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae15e9b-bf5a-4ed7-a58d-9bb80d8ac76b,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32ca1d32-cd66-4b31-9ed8-6fd9bcca1095,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eab3a512-1a78-4164-a26d-03eaa018d16a,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,196f210b-fe43-4023-b013-dc0ec36658e7,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d7211a8-7ffc-4869-85a0-e40856c3bdfd,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,682d2faa-9454-4a94-917f-57cbd76d4b6a,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9920aaec-8fdf-4f65-a73e-42ee66378515,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f09ac347-8912-4d51-91c1-4a92c20600e2,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,844db2c1-dde9-4bec-ab4d-af812becd9e4,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,630b42f5-57f3-4571-afde-36abb18c9e81,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f4e544d-a14b-43de-b4de-6d824c35a3fb,"4/16/2021, 8:58:48.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 3468 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,22e1e008-b00b-4e00-8e21-76f26b42dfbc,"4/16/2021, 8:58:48.189 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f35bd0a-ce35-4732-a5bb-da9510e57362,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0339dea7-31f4-47e8-8ff2-63502315927b,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a51db63-c9f6-4414-b12d-48ab4814f0a8,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a82c268c-1d9c-4fe6-a872-c60655ca073f,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77e89709-735e-40e2-9ba9-dc5003f29173,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a83f440f-8f08-44c9-b9fb-a75df4b8daac,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5612ab1-8a78-44b3-b20c-ffe3b4d91bfe,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f1d75c3-fe40-436b-9a55-9d3a8add673a,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1aa6bed2-cb1e-419a-acbc-22583e0012e6,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3f68077-db6d-4fcf-9803-a4f9a719f95c,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027729d2-df23-46e9-823b-517fd9ca50a3,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38e2f9fc-b4f1-49ae-b93f-d056953e9bfd,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07fdd5dc-c649-457d-90bd-3fb35f3a3811,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e068c95-fe77-4593-a44b-371195632876,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,189bb767-18a9-4fc8-baf3-ed0020c0f837,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b918e43-49c4-42d1-a576-e73883c887a7,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14e528dc-9c9e-4f50-89d9-1c83ed8a33b6,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3eeece77-da61-4cf6-853b-835c7f9e7e31,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f3c9364-6fbd-4ac6-b119-1613d19d3a76,"4/16/2021, 9:07:00.684 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,daef3666-b6f2-4c2b-99a1-4f605ed18786,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15fccfc3-4181-401c-a15e-968c6bf790cb,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd9b7198-f00f-42b6-9091-c9884cdb11e9,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8667b394-4d2b-411f-9f5e-d04a31bc3d25,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05410152-7396-40d0-acb7-8c9685a74ed2,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b5cc123-d1a3-4fdf-8dfd-be6712a7b07d,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acab6021-a8c8-44fd-aa0b-2e059adba73f,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56ace6b8-864c-4db8-b38a-aa4b65501a39,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 5508 + 2021-03-29T15:51:38.8351258Z + Microsoft Software Key Storage Provider + UNKNOWN + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\7ef9ce7839778d36dfa70742ae0c3d53_78f67aa4-178f-4369-9a87-b6c08621234a + %%2458 + 0x0 +",5058,5058 - Key file operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88c538e1-d852-47d7-acf6-54f42748b573,"4/16/2021, 9:07:00.684 AM",,,,,,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e34fe5a-ae54-4838-888e-741ff8cbe941,"4/16/2021, 9:07:00.684 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 5508 + 2021-03-29T15:51:38.8351258Z + Microsoft Software Key Storage Provider + RSA + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2181cd10-4e04-4cf1-bdc9-d99beea1353d,"4/16/2021, 9:07:00.684 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 5508 + 2021-03-29T15:51:38.8351258Z + Microsoft Software Key Storage Provider + RSA + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d342de9c-9738-45f3-a5d4-94134921c7d7,"4/16/2021, 9:07:00.684 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d3ce829-0e24-4ee4-937d-5298cf17c571,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552208b0-d450-432b-9bf7-70e66e363d09,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f45d25bb-d02c-4665-be50-4e181279b2a3,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371e6729-58c1-45a7-8c10-ee0f34b21cee,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db32b0d3-9831-4453-921d-e564364d3d5b,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de01af9-c42e-49d7-aca2-d69d742bca56,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9581f07b-80d6-4666-82df-c772ae1a970c,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9bb9b4-6bf5-46d7-8c75-1f9268f34133,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4995bf17-6bba-4c03-ad1c-b3ab3fe59988,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef5308f7-74f3-44bd-bb41-be98d1892065,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce8220c7-ba9c-4674-945a-81a9fa319d72,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d21790-112e-4681-8825-e016f6edab3b,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,e35f33b3-2636-4c8c-9fab-26db1253d13a,"4/16/2021, 8:55:35.154 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aed384c-737e-4151-a242-d7ebea1f2dfd,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3a6cb52-23cc-4998-9a50-c173af55b1a2,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddfffc2-4e8b-4ee9-9418-6f2a14203508,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a02432f-861e-4790-8756-931d56f000bf,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2950dcbb-7e90-4589-bf54-f5752e40e7d5,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62feb516-28d5-4b49-a1b6-ea53d349a956,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe8d5e01-bc58-4903-8935-8c31527e3568,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc86cf22-c064-480b-91ae-08831de1ba27,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9459f462-da19-470d-88ad-32b080fef7f8,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5247551a-6e17-4c73-aedd-29a860a092ca,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf52da42-7a87-455b-8b27-470ad9227f56,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2ce15b6-e811-40e3-9b14-dbdccb9de933,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,af32df5b-619a-4077-9894-c5c15bee4b07,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fd4baafb-fb07-4c94-bbdc-6f7c520a4723,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10340 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c4deb20f-7de6-404b-99fc-8c2fbf5a9392,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4452 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9cef2ecd-178f-4312-b023-b13f82f56010,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6528 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1e35b397-590f-4e39-8f29-287ed1436bc1,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11108 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2f6f4727-87b5-4c5e-b521-1394a964719e,"4/16/2021, 8:58:49.278 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0da6956d-72c1-413b-a661-badb37c52994,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd6acb53-6ab4-43b1-9a57-8d9a715152ff,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23a8fb6f-9e55-40ea-ad3f-95a51171cc58,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8498db05-2064-4cf3-9ad8-13f5b38bcded,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a4f01547-8f06-4289-84ba-1afd6798ba6e,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b2874736-4663-4d6b-8de9-388f4032fca7,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78f225f0-d0ec-4495-b73f-b0f2ecfe12d9,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,22e21b44-b39b-494a-b78f-94f421ce626f,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd971467-ddec-40ad-83bf-6b38e872563b,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2af9cfde-7636-4dae-a42a-a862e5f07b9b,"4/16/2021, 9:07:03.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3c59131c-0785-4209-b5a0-141ed3434cdc,"4/16/2021, 9:07:03.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7400f33a-7605-4510-b450-1c20addc7ba4,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,762db713-7103-4924-962b-90bd328db4b5,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cb30359e-376a-40e2-93f6-d5d57c1893a5,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,cd5d6b01-abb3-4580-bd93-76861b9c7cbc,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0b4a0a2e-3191-4575-a0fb-a55a04cdd2ac,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5098da6e-c095-4842-85dd-fb0c2e2e3869,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,201420d0-2f8b-4426-8d89-a95bade95414,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86e11413-9337-4962-94d5-7f57ace2defc,"4/16/2021, 9:07:03.071 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,af21b519-6725-42c8-b940-789c679a0f7d,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 10164 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,946c0d52-174b-467e-aba6-1f4c15b2d771,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6268 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0d6641ca-9f74-4ccd-b798-6500085bc2d1,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fdc56031-a6d4-4c44-b536-fad381112372,"4/16/2021, 8:55:38.564 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,583b00dd-962b-4dfe-9dd5-7e7b2f7fce0f,"4/16/2021, 8:55:38.564 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e08d0ae-32fe-4ea7-b2a4-b9cae5dfdf99,"4/16/2021, 8:55:38.564 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ad0cf2ae-9e51-4905-acd2-adca810864c7,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5156 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8918fe3-d5a4-4505-b247-13930ae90355,"4/16/2021, 8:55:38.564 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28b89b58-537a-4387-99ef-4ed12cf814b9,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b749b5f-4bc4-4b03-bd77-b5a65f5533aa,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db118e0e-a729-4b25-8b6a-660278304020,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,159579bd-dee3-4996-86a8-f9fc9f535329,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e58548f0-f79b-4d85-a209-e43675a9e7b0,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8c79f1d-2fa4-4549-beb2-5a740e134447,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,906706b0-b08a-4dfb-a6fd-30625fa2e419,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e70e61e3-df76-467f-a976-af97006235b9,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc2f477b-771b-42ef-9690-6139cb7572f4,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba0e2b7-339a-4e1b-8bbb-e5c94c2de8aa,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be686055-8b45-4ef5-b8d4-29153022eeff,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b74919bb-aad4-43dd-a3f9-a9fa72f3d57f,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67646cfb-cbd0-4418-86c6-2ea46fe990cb,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eda19e64-47d9-4796-97ad-9f2f1edd933b,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df7b7421-76dd-43f0-bac2-60a897797507,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24d0b9d3-ccc1-4e8f-876c-5ea04f89429f,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,738bcaa9-19bd-4662-a392-27d0759a5734,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f20fb0b4-529c-49b1-8381-d71816454d86,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d265785c-0864-4b43-9ca3-481d0bd2a1f7,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30771742-eb72-4eda-ad8d-830ef6404d05,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0ac8a00-fcc6-4f1a-8c23-930e158f62b3,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b49efcb9-8323-4e88-a9a4-1d313f3d69f0,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47aee918-3abe-4c63-906b-1e95fb6f77ba,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1240e986-86ea-4462-b95f-9eadf2101a09,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5356 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,208804d0-7091-4b7e-9e1a-eefd14196ca4,"4/16/2021, 9:07:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2348 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0d6cc992-2944-4056-8dcd-fb0c0b5fccf1,"4/16/2021, 9:07:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,596ac1e6-f590-463f-8f51-91fcd8366a5c,"4/16/2021, 9:07:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d9ac667d-f953-45af-a44b-0ba1c44d16e8,"4/16/2021, 9:07:09.885 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,60788809-9847-4ce2-8e99-c3a0f10b3211,"4/16/2021, 9:07:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a8d8f297-17d7-4e66-9a7c-a2d6af6f0930,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4144d032-9fb6-4d37-9e7c-e89b29bd4278,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ce2c538f-2aa6-448b-8c1b-c114760baa47,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7fdc020a-8733-4c6f-a55c-da1387e79ebd,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b7355181-19e8-4555-b011-8eda59686c25,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cddab8a5-c8ea-4354-9e49-f1af06058594,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f09af7fc-2509-409a-a5ca-bcac86d950a5,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,122f744d-5306-49bd-ac4e-2eb4b9d630eb,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95c43e9b-d1ac-4041-a965-78da57fbe712,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,760f0e52-7743-457f-bcb7-45b5efcb5f00,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2b912419-87f3-4dec-90e6-8f2dccb6d95d,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4a030d5e-45a9-4ff9-a2e4-971f0744536b,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,936cca3c-835c-40b3-be5d-d403d11f9460,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f9e73144-38d9-4bcf-992c-fe94cc48d7b2,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ad8c9006-b166-44cf-a024-78d112d376ca,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a0661622-0919-4776-833a-e820a835fdf6,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9c1b0d88-39c0-4662-80fe-aeed954c0ef7,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,638e2f26-d61d-437e-bb79-d0a1f4b2eb49,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b8214ce2-6f1f-429f-b862-f4bc8cc91c1a,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b797961c-183b-431c-a3d6-cb011198b36e,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b29f1a72-fb0f-4918-87f3-8b06b8b7f5b2,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d8a1a92-34ea-4cd2-b35f-f32815182a9a,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,08f9e4cc-70b0-43d4-a634-c839929cd36f,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c4bc23d1-d07a-4f4a-a925-3fe307380236,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,29ce36cf-0123-4a62-8a9a-f4c51c2914d8,"4/16/2021, 9:07:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5140 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b2a561c5-2b20-4593-b852-fed85e13cf0f,"4/16/2021, 9:07:09.885 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7107ff19-0df5-4c86-afe8-63d01053a890,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,938f2e9f-3199-4f1a-8037-c4a519c3f1c1,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87fa5c22-6c26-4a0a-b6f0-9fdc9fa2c0ea,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93c9ba54-c523-49b1-97da-c18bf62a54d1,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d7d517-f089-4a42-ba22-7077559410c6,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b640633-f0f1-4db8-b1d7-ef79b7a99b2e,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfb09f84-e1cf-4420-acbb-21437583c95c,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6d14a83-63d9-4154-b360-c8cfc4ac1802,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e420b1a-4069-43de-acb8-1f486d5da028,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e6562c0-e559-4968-93f8-f450b569d3c5,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1bf7241-4cfa-4ab0-b84a-b359b5c65e21,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bc15d10-76df-4ffe-b368-860d95bcc6ad,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56ae0d79-612a-4716-8522-081e1091c716,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,491b049b-b4c1-4479-ba87-d4d0cc56c6d6,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2471934-41ce-4e98-8688-edf4505b38cd,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a51631d6-39d1-45b2-b0e1-9718f2d72d9e,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9489836f-2024-46df-9e42-0710bcd816cd,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d21f0d6a-73a8-4556-9f70-833406569ea7,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d2274a8-d447-4554-8261-4edfb14b7374,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82b2cef0-4503-4382-bd14-6281c7eaec00,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7835747d-eaa0-4ea0-b2d8-b6158c3418f9,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceebb1e5-e9d3-476d-b6e1-4313cae0ba76,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10804 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,87a8f53f-26f9-413f-a117-b73dd08bc172,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10440 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9bb8dec5-81dd-4d0d-a850-29872ebfb3cd,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14604 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b95e2299-c331-4006-a831-599f836a486d,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1308 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7c1fb82a-defd-424f-a96a-ec550b2efbd9,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10500 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e8cc4088-c724-422d-b407-3b9ed8752d3b,"4/16/2021, 8:58:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9824 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6a7307fb-f75e-494b-825e-74c179017c97,"4/16/2021, 8:58:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6012 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,68fff945-72c1-4121-be56-ea3209257717,"4/16/2021, 9:07:09.366 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10572 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e911f0c8-9683-4551-b441-bb29402bd9d7,"4/16/2021, 9:07:09.366 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4320 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5677525d-10fd-4fc9-8b9e-b71b41c4644e,"4/16/2021, 9:07:09.366 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc0049b2-37d9-4fd3-a377-d930d41e9cbb,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d6827eb-d8d5-4ce5-acd0-f38b70ab060b,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c168a5c4-0b40-4d51-bed2-d9d8cb346581,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b81c3b-1f01-43bb-a30a-5e16cfb16dec,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859f6da6-5edb-4622-bb80-7d00e3393f0f,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\HJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a15d3c6-9d7f-4df5-8975-9c01526b0f12,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfd3438f-2a3d-4e54-a580-c2a84799035e,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62cc6665-fd1d-4de3-9cd9-0cbb149858ea,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47c19cd0-4a8a-4060-8534-7fec51b41b96,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86c6e3bd-b920-4b6f-8ea2-9350844385fc,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,072cd42c-cb82-438c-89cd-e48ddc6f10d5,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cd5e4fd-35b5-45fe-bff1-f5d383492590,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08e7d4db-6a77-48d7-8c44-4503ce065ed8,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,254757c4-464e-4f22-8cbc-0812abb4f384,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6406c6-7570-4a8e-b200-c3ca6fa076dd,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4641bdb-5dac-4671-ad97-9929e80722f4,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf2d2f59-5041-4955-8227-e994586f9528,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b10c3401-455a-492f-8444-6882851a7a60,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dab6702-6bc1-43c2-8edd-fc6c63a09bd4,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c19979e4-e73a-4193-ad12-2c26b8404fdb,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20020593-3c83-48c5-9adb-92a81ccc4b9c,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ffbd5e-6463-436e-99a7-c674e8089586,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4584f6b2-7a2c-418b-930a-d87a5dd208d5,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,563539d0-f736-4010-8d34-05a44922b30d,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92577bad-1d8d-4238-9f30-3aa21e31c7f8,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef6d1c7e-e8e1-4670-b62f-dbd581563476,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dfccd32-964e-45ac-a3ed-3fda1a91f531,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b7f0f6c-deab-4fa3-924c-5e1e91be1872,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e9ddf9d-a6a2-404e-962b-1ffd61e2b801,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c965cff1-7a6c-4dcc-9c5d-becb4f2a8640,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,622ebd80-95ab-4fce-af24-3ce1d62ee649,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0812c90-26c4-47fe-bedd-116d18d0c794,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,967f6c1c-4d4f-47f8-92e8-46fae7d50f86,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca439395-a042-4579-8aa7-74e0312b2d85,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54c4523d-32f4-4260-b3f2-3bbdc5c56a4f,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,496382ce-9f0d-4961-9fd7-22fa2b4bc53d,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce182fef-1225-4fdf-9ff4-fe801496b9ff,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b35778c7-c325-4a09-9f1f-1fabad3493c2,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f0d3d37-315e-4862-b863-8509de73c46a,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c7bed1e-3723-4c55-81ee-6af77baf662e,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70170bb1-f042-41b1-b2a2-a378b5486f0a,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b650cc0-3bbc-437f-b8f8-a70ff143a882,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a22b00c4-81ab-41f7-977c-1dd0986a02cd,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f147f7d1-7425-45e0-a506-285ee1d9612c,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593c862c-840a-40c5-9ffb-af0ea0d8d2d3,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a28a52da-0c26-4901-9008-f21f6a2e0bf0,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2689fc2-b829-419f-bdd7-c07250c67b4b,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7e84a2-c24f-4b0b-96fc-6a153ab25cb7,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d249daae-7e77-4e75-a0be-fe67d2bc3153,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d761ba48-7f16-4ae0-9950-90377f367d2f,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db7c15e3-accf-4124-915f-cb9fad6bae8e,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe315df4-ba7e-4095-8d8c-7d553dfc1020,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7623888-ec43-4d60-ae51-c1b5ead57212,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,861a1247-2149-4d9b-8a75-adac54556a48,"4/16/2021, 8:58:58.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9436 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1158c54b-b775-4eb3-95bc-01dc33221495,"4/16/2021, 8:58:58.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7804 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,27bd845b-89b8-4ef4-b61d-3418a0605156,"4/16/2021, 8:58:58.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6cd1c2e4-288a-4df2-8d2f-a6356ca1e43e,"4/16/2021, 8:58:58.569 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,643e3846-2841-4cbd-be1a-a9a0f5fd2988,"4/16/2021, 8:58:58.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12296 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,45443ea2-eaaf-4351-b1e8-206a5aa1640c,"4/16/2021, 8:55:49.276 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10076 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,203ffc25-3505-41d2-ba7c-7bffd7c11e21,"4/16/2021, 8:55:49.276 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ed28f1d2-4f79-4258-ad49-67e2b8abfb7c,"4/16/2021, 8:59:02.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0dd1b7d9-992e-41d3-8de6-f0ce3756af90,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2668 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,74fef8ac-193e-4f8f-ad7a-ae23e99ce892,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1528 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d01699cd-5995-4563-aea7-ca534cec6ceb,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2440 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b11f6ef3-b406-417c-b886-aacc1e4fb598,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7132 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,396bf7d8-90b7-48d8-ae41-189db85179df,"4/16/2021, 8:59:02.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2636a067-e36e-4546-918e-f54dd9a6972a,"4/16/2021, 8:59:02.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,553315cf-6b7e-441e-9b7b-ad95ff8ba1d5,"4/16/2021, 8:59:02.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,57c04fa7-3d44-49ed-8c60-b7b0cc757ff5,"4/16/2021, 8:59:02.862 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,986c20ce-1e41-4d02-90c0-b1227cc45c24,"4/16/2021, 9:07:11.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 484 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a2520a46-06be-466e-9985-1accdd3fd4ba,"4/16/2021, 9:07:11.584 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c9a1f760-4990-45d2-b1b5-41af93e0087b,"4/16/2021, 9:07:11.584 AM",,,,,,, +\TOUCHCOM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4938784e-7498-44d6-ae03-4e9ed0f5d874,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f78140d-a7b7-482b-9901-e6a14104c01e,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,904f31a9-4fb3-457e-9a86-a995e2c67826,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d90742-f08d-42dd-b34e-bebcf72ea01e,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34eb1338-5e2d-4838-b1a4-07f9cf469057,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5acdeaaa-fb1a-4163-9580-4de206ccb32e,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46afa1ad-3daf-4002-b20d-17a44aa87161,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7453f967-9a29-4582-a906-3b9eba3e0d6d,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8bd3841-0258-4feb-94f8-8ade06a7555f,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,804cb130-4c12-4686-938f-bbb49953558a,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40cfd6a5-ec5b-40e9-95c5-56bcffd14e5c,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c16da09-015f-4935-abc2-c162db0c8301,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ae54a12-ebe8-4170-9f81-f1ff1738ed88,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1729e6b5-7454-4b38-8d3f-af77d7a70760,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,472e34e7-8e5c-4cff-b45b-f1f4303f0a32,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81ab8f92-a170-4c77-a35b-45f2ad289486,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c79c3087-5139-49ed-be47-00f3e70b6675,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,307ee839-bca7-43db-af17-17078cab8e4a,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b8cc9dc-76d1-4446-a968-4aff9f0da6fd,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d12d89e6-70ff-4c0a-9860-2a97ab6fe735,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac1da5e3-e970-4a4b-8b2e-a2775c71bfc6,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4db36a0-33b2-4c46-9adb-98b13715fd94,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,799f9766-cef1-4eb0-b9d6-692ce2a72b61,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01c5bafb-1e58-4280-b760-467a6643eb47,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c1fc4b-b5ea-4e38-9a16-c328032e9286,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,901d1789-1958-416a-8122-942df5b605c0,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa35d434-ad7d-43e6-8b87-4cae7fbcf81f,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,567cc785-bd88-4897-8b29-a112ce224449,"4/16/2021, 8:59:03.731 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6502b55b-7c44-4a6a-8c05-b9ca24ee344f,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b7ecf04-98fa-4109-805e-8642165941e2,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00c8bfe8-3dbd-48b9-964f-08616f17e1c9,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,072edea3-b103-4d18-adea-e3e81c185c74,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51a69f71-090b-49cd-b917-e473896dfa48,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9480cd49-5629-4584-bccc-dc0e28e98602,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33e2aac1-97ab-4c14-9608-cc398f58c788,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,153e10a7-d26c-435a-98ab-58b943f4237d,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b775dbc-a86a-4f66-8b0d-bd347aef50ea,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb9e70d5-069e-41e2-8fdc-5fa5802a6199,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dea83fe3-5371-4a22-b9db-a8f4f1e58c80,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac457e80-2b65-47ab-be32-38779f4f63e2,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc61ba51-2a36-41f9-95fc-b03b9a289c45,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,257c5676-697c-48a2-9d65-4a638f0a9253,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,546d03eb-ea1b-45a6-a07c-b7f9c0ac2b02,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db09ef19-7c9a-484d-a15d-2bc0a15e6594,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ba90e35-0497-4fa6-a099-7e95c6b77200,"4/16/2021, 8:59:03.731 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20f82b33-926e-4e0b-a2e2-83cc0eb4c149,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,27417a57-0b14-4045-bd25-5fbf76f6e787,"4/16/2021, 8:56:04.408 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42f32499-ffd0-4c55-9ae8-3cfdac0cf271,"4/16/2021, 8:56:04.408 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0b44e95-f18d-4fc6-a23e-042e84e16b91,"4/16/2021, 8:56:04.408 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af5c9f5-3aaa-4337-a2a6-d252b7d3905c,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f92e2ef5-4e43-40c6-8961-c2c6e7262173,"4/16/2021, 9:07:19.680 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fdb9a40-059c-4c04-925a-0fa229cbd721,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbd9a268-2375-44e6-bf40-66990ce130ef,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,845ecbc5-4583-4677-b3f6-9c600ec56e11,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f50fbd5-ea7d-4ffa-9e3d-6206bd304287,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,305f7100-dbc6-41a8-88e0-630b85a295a9,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3c0f749-e294-436a-bb7d-6a9a20d701a3,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f1eaeaa-e0c9-462f-a0eb-f4fe159928c4,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66b9541b-f7f4-4876-ac64-ee62555106c5,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94687619-8d0e-4e52-ad07-5fd3a116e81d,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,148c533a-6508-4699-ba83-2adef33c82e0,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91465815-a13d-45f2-aa8f-23cb2de142c4,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,794403f5-747c-4b4f-93f7-dc502fa35319,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b8812f8-fc14-4bdf-b446-85313684ed07,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70987346-3358-45e7-beab-af5eb750ffa0,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35683be2-3da5-4385-bfb0-51d3192b16fe,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ebb0a7d-3bef-49ff-a208-a09424d24c95,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0032d0f8-a673-462e-a56b-ecf872bd3505,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,170fd7fd-e939-443b-b348-b06eec8a1bc3,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a29eda5c-d7c6-4392-a3af-c9ba273b6dcd,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1836111b-7bfb-4cc7-9e2e-313d6f935d9a,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ab2ed13-8018-494c-ac46-76f5feb87611,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,74242f05-41fd-42a3-9f0a-f4e09e43dfba,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3a432fd6-f29f-4e0f-8d66-c0751e47edeb,"4/16/2021, 8:59:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3b89314b-df4c-4ced-a5d2-927a4b1e65b2,"4/16/2021, 8:59:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7817e7c6-480c-4ebb-802e-7ff3cfb9956d,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7dbcc5e4-f449-4cca-a407-0dff13b90cbb,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42e24d74-1348-4fe9-b638-929ff709322f,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,cae35b17-66c5-4ca0-9659-b5007a00cb5d,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,82465fdc-4ac7-4572-a11a-84b146a1a62d,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60b3643f-4c66-420f-b583-8e029fce40c1,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ff7092be-3735-4fdf-a2c5-cc9e7f0dc92e,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,decaaf35-c326-440b-99b7-95b26d009e5b,"4/16/2021, 8:59:03.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11a8b934-9145-4fca-ab3d-c7909de90aff,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de4ffe67-f67f-4867-85d3-9b13cc235e5f,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9d394c-bb1e-4db9-a97f-8bc7bc897d8e,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61a39c2b-c7c8-4f19-906a-e5546c9718a1,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecb99495-bef7-49be-bbd9-5bf490d2f88c,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b1c133-b3c6-4478-899f-bdf175a4dc09,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb8b3ed1-3be2-49b9-a0c3-ac1c6cd76735,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\HELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b4913a6-0083-4f69-bd6c-52c39717b3ad,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45f24934-704f-4b9e-99ec-4474cd2913ce,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1bd333b-a82b-4a86-af4f-2633d9863136,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f4e39bb-dcf3-4d65-b6e3-3b9dadf643c5,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffcc10b5-18c7-4fe0-bf59-a02e0decd196,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70dc008c-63d0-4ae6-8d57-124ca52f3f92,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03b425c1-b885-4863-9da4-e68396fe7c07,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0cc26a3-f6b8-4409-b96e-f85ff31294e6,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12cd187-f080-4284-99f2-9879e1e0eaeb,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df4cde58-2db9-4ffa-9bf4-e052bed56360,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccce8c68-07ca-48fb-b01f-95719fe6ddb6,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84bc97e2-b203-4d50-90ed-864fb9347cad,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2845e9a7-a9c6-499f-a010-974edbbf9bf9,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94e0255c-e083-45d5-95ab-0061c7f242ce,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbd21db5-f1f7-435f-8314-314be1115555,"4/16/2021, 8:59:03.127 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,64ecd43c-4fd2-43cf-acc1-82f6fcfcbdfa,"4/16/2021, 8:59:03.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90369d1f-501f-4359-81a3-0c86a4212169,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1fc06e7-8dc6-4d98-903a-25919a45cb2d,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ed42c69-3848-4119-a4f9-29712063851a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,186a787d-ee2e-47b2-90a9-8d8860504889,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f17b33c0-b25f-4fe6-8912-515cb791a89a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ff35a7a-558d-44f3-929a-817d0e8a8d0d,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69d3c9e8-f935-4b09-8684-a122270a197a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b436a6db-58cf-4035-8242-8fe04b66f9fc,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed377e8d-3d36-4b6e-82ef-398e7d4ec326,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b15b9438-2a82-49d7-975a-aed5958de404,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d45a025c-4027-4a87-b7f3-9678501cbd30,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f164fe8-3c6c-48d8-8a25-191eb8af8829,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e658e6-f45c-47d4-9588-9b1895994926,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2934630f-1107-4a4f-a260-f86f39fad8aa,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22aff42b-906f-468a-8865-e66f06d9a0f0,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9c035a2-fb98-4c47-940a-757e5728332a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,688f9765-abc7-49b0-89bc-be14218890ea,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,042febc4-a21e-4fd3-8fd4-a51095766fbc,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fd4476a-2e0e-4fef-bb28-fcd09c627f21,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,641c7f13-e2d9-47f2-aeed-6d533dc2c0b0,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31460f3e-e79e-47d9-8298-489f4ea930d8,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cee57cdd-d776-422f-80ae-ab99ee7d6568,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4383f636-5afe-4346-8ea6-fc76222db0d3,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c15629a9-6143-4ca2-a94d-788a259bb357,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0742751b-ca6e-4798-9853-389cd6e1a08d,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8720 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0a1b3fe-d97d-4aba-a705-bfb9acfa1b98,"4/16/2021, 8:59:09.113 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8240 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,513dbec0-3b05-4fa4-ade0-044caba707e2,"4/16/2021, 8:59:09.113 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3e904d4-b42b-42af-acf5-ec4a0fb6a2e9,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6870978-7039-474d-8091-2a6b9615ba89,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7495d04-c2d4-44e7-b71c-bbc109fe2816,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\AALZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4e2f2c-983b-4cd2-b7b0-6dd87c6c2a3f,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,578971b3-f458-4db5-a72d-0c750c3ea467,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ace70f9b-5c88-495b-a6a4-64191751d833,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1379567-19e2-4c1e-9416-9623a71ae85c,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0df3bd-f608-49c8-b707-761dbd4a9151,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba34807-58b5-4d71-a437-60d099a516d0,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49ee7b12-9871-4032-adb2-7098e1358ed4,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d527335-4873-4068-ade6-69dd0f1366cf,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce076fb0-14ed-4f5e-bce1-9a780251208c,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1214599f-e549-49f7-af63-b51abb9feffb,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07a9a7fe-22a9-47ab-890a-9626e3e3312a,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8ba64fa-6d6e-403c-8f3b-1af113c161db,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e22b97a-e195-435a-b26d-a9bd9c3b0efa,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b862b86-b1eb-41bb-98cc-5848c1a2cbcf,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b597aa3-c60f-4aeb-9d22-a3125948e46f,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a7c561-08d2-4245-8889-ddacad1d5313,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48daff99-752b-4bd8-b45c-e621b27a20d8,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee78ce9c-e66e-4c8a-96df-880a6a89eb0d,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19c74c93-004c-45cd-a9ee-21f1533abe18,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a94c4f3e-8cd6-42d7-a72c-851d4be87257,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3e367c7-a669-4dbe-b438-0113ab8dbd4e,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf679e3e-5a00-4e75-8153-61a96723e239,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,132c0396-eac2-45a0-a354-a7233d22ff99,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fca7449e-e7f3-47f5-9cb2-32ecf6b14378,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ff44c4-39ce-45d0-8814-5cf4b8059bf2,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f475166-be3a-42d4-8684-7852512a8bab,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,793b8cf6-4fc0-42f1-8139-24ebe7527b66,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d5fa577-b105-4dfb-80b3-91d9d3adfbaa,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cff1d7ce-c449-4245-a348-be70612b1a20,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b85440ca-8bc3-473d-bfab-7f2d4ca51f62,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea28e3c1-c403-47e5-ac9c-5f5fd6f41a92,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,238650a4-dbf4-4255-9eed-3b0819a3136c,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f92764a-383c-4cd4-9987-6126ca0c9df1,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21f6b240-be9e-4354-8fa0-8e9bc4c8a7f6,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425e8b36-e8ac-40cd-8876-11aead66d56f,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0dc72aa-d4e3-496e-83fc-9e703c6aa774,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5fd608f-ebf5-4491-af5e-8dd9e42dd922,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352481c4-0d21-4914-82d2-985352ab8ab2,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70c5b126-98fa-4a9c-9c6c-fcdab2aea949,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0772ab8-8ae8-4a3a-badc-5368365d3720,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d55e943-65f2-4e3a-9f0d-5a1e8110a0b4,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dec7bd9a-7907-4b7d-8686-85b3c6b97f39,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\BACKUP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,add1ed27-2fc2-4c22-ade6-81f3c7eb8fa3,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +\JOHN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,99894e73-22da-49c0-9630-05d659d857c5,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a504174e-affd-41ca-9dae-2ec58fc4a9f1,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b63e4cf-0247-472a-bd90-e0c1100e3c4f,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76edfe9c-b0c4-4b1c-9260-96d305bf7cf1,"4/16/2021, 9:07:19.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48800852-71b3-44b5-b90f-4e1006f9bd13,"4/16/2021, 9:07:19.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7b7888b-81f7-4e6a-9416-5a41ead3b6bc,"4/16/2021, 9:07:19.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c3a06e7-fa72-40d9-8304-bc80f11a5279,"4/16/2021, 9:07:19.413 AM",,,,,,, +\STUDENT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8b5ba9c6-4952-4b7c-bc6a-5f72a146f850,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,872e55a8-c88a-4680-8fa9-3e3477ca2ce2,"4/16/2021, 9:07:19.413 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27a1b46e-847f-4930-b05f-11b855807c43,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0767fb7-71de-4748-a212-2f82c671f4a7,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,008047e4-24bc-487f-9f9f-57d3196095ce,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66391ef1-b6b8-4908-b674-f2637c90f61f,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc5ce320-41ea-4709-9595-9ea07f157ac0,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b79401af-cece-4712-93fd-33bc2830b07d,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0e2d427-50b0-4f5d-a57a-45f54099e7f1,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1066d25a-b677-4d81-993b-880e676cfbfd,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,feb3bcd0-4f0b-4894-a41d-ab9a629d93ed,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34d47153-4856-4f49-b7e8-6e65fbb7584f,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2a9036c-752d-4c74-afba-a2479714949a,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbb20726-4fdb-41c9-8ba2-961813aea9a1,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,caf6587d-a84b-4835-ba73-3a9c556fb077,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd7dc42b-a939-497c-9bd7-638307ec42c1,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4968e061-168e-48d9-b164-153b53f698b0,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,133c6012-6cf7-493c-8e0c-7a076a51080a,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34b29439-76df-4384-ad76-3ee2c68cce71,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19208b00-b4c5-432b-b806-ccd4a8005ce0,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ca75733-c343-4d71-a078-e46baf26ea6f,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbc62d68-e715-48c0-9806-1ca906b47e60,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4badec8b-1e1f-4d30-8cc5-f6bd719f1462,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a932a11e-c234-4ae6-b178-35a2a7047b99,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78199a95-cf1d-4e29-a1e1-c2e6498510aa,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,487d42db-70f7-4c7a-aefd-ece0fdd5f549,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f9c63e-b568-4bfe-b4b0-4b65fedbc122,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6305507e-92af-410d-b962-0a7da29ae5f7,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d9b9153-1216-4b98-abff-b44168e8a534,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a044fbc-2998-4767-a566-877c2b22dda4,"4/16/2021, 9:07:24.122 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,211bf34e-aa55-46fc-9b52-5d6bec192349,"4/16/2021, 9:07:24.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90609a5c-0ee0-4354-a306-11fab21ef33e,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de148eed-bcbc-4407-a5b6-de22c962f390,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cc688f3-f420-414a-9da9-69650b8246c7,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,62008e48-abed-4342-81b3-50f48f019a48,"4/16/2021, 9:07:24.122 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1440 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9507aff0-8361-4e21-bd7e-62c118ddbab0,"4/16/2021, 9:07:24.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa1a99f-ab2e-47ed-8da5-b2b8e1c5ddfb,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a079983d-4cbd-49df-9d83-135f1f5dbd31,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,209e5b0e-9f8d-4b52-acf6-3abe3235f751,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58edd929-76ec-4c2e-96e3-718eb7e732d6,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,717a7b93-497f-45e1-9eec-7430de8f0b60,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c86f0878-8d8d-4fc0-b4a5-7e2c8c177938,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb02cad5-ec27-4b6b-9310-9ef8dfca1888,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5be972c-662a-40dc-b1cb-309ce67a3c5d,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20f84ac9-56ea-4444-a7b9-11d15568a9be,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48457f8d-cae2-49c1-b33a-b44b0cb01b49,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,097ae52a-a486-41e3-a4ca-90b41b51b47c,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1aa08cf9-a2c6-47cb-b531-7f382c09d0f9,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ab6f03a9-d4fb-4c9d-98d3-e9d6af4321c1,"4/16/2021, 8:56:09.903 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0bb6fd46-d1aa-4db2-9189-839bfccb2814,"4/16/2021, 8:56:09.903 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2348 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1517ae0-2a8f-43cc-9cdc-78ec056ff9ea,"4/16/2021, 8:56:09.903 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,69fe39a5-22cc-4022-9d0b-0b727475569b,"4/16/2021, 8:56:09.903 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3917065e-d9d8-43cb-a728-cacdd972a5de,"4/16/2021, 8:56:09.903 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,398f3894-b04f-4232-8979-145a7e340e15,"4/16/2021, 8:56:09.903 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6868 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,88968540-eccd-4841-8c7d-84ad8c8fac20,"4/16/2021, 8:56:09.903 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f92da9fc-97dd-4856-a9ee-e9aea745b74d,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ea21bfe-bb0a-4ae3-a9ab-4a9c92fe276b,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed5bf3c-10ee-4985-bcfc-515627702048,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfc9627e-ad4d-44b2-bb58-ac5e356023b7,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1015b8-94ba-4d71-bd82-5e5586265ef9,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34e4d15e-2418-4f60-8fe3-3fa2ac4362df,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab849a6b-21b7-4bf2-bdbd-9deca28ade71,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd2247a4-ebb8-4d70-a648-cafbdf320d11,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f7e94ca-c231-4d0c-a59a-8a4f547afa1c,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7eda577-243d-49f2-ba12-3818af878e25,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dda3e87f-1c25-4e2d-b6bc-f78395240399,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d4db19-735e-42ea-8f2c-27886f2d5a43,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c5fe1c6-de20-49e7-bb97-b5a756235f8b,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f109e829-9919-4630-90cd-ff76f085a60f,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b704c1-c621-4c93-b021-1367ad9ac509,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5619504a-cfeb-447b-af6b-e159900d073d,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf8e7cb-4dcb-4e2a-a495-021a5d40fb54,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b670768c-007d-4aef-864b-46fd52160fe7,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b95a101d-efdb-4ec1-bb17-d0e1dd106ee2,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220283d0-1ff2-46de-8859-c7418b164b68,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79f24d50-6a6a-432b-a47e-7572695790e4,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a14cd549-bce7-4a04-a5ec-236e037f13d3,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fbf8873-f994-44dd-8138-f8423dbee834,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,94962e0d-4ec4-4fb1-988d-bb463f68a871,"4/16/2021, 8:59:20.203 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0315daa-5308-4f98-8644-ee7a9258f8cc,"4/16/2021, 8:59:20.203 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1540 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,01c450b8-ec26-4a14-9b57-8b0368a61c4d,"4/16/2021, 8:59:20.203 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8492 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d983983d-ec70-49c6-8615-43094def436b,"4/16/2021, 8:59:20.203 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71104207-aa63-47f5-9e19-14fb4905f4f3,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd1fe5da-3aa2-4951-a027-b14b454b3918,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac920941-da96-4dc3-af32-c1d7488477d5,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63e4601d-c706-44ea-9542-efefa5d6359c,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52ee1a8-b5da-4dbe-82b3-309fc1f7dceb,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c1dd1dc-fef4-4962-86a1-86774ad3ad51,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ACCESS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a15f441-9f5c-4807-a592-d785b9ab04b2,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e101630e-f1a9-4b66-abda-4302fa1bf6b1,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,100a27fd-13b9-41ed-95d8-4bc33f7a16de,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07667541-e138-43bd-a99e-6b5360b8306d,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99e3f9d1-df27-4ed5-aa49-b97f9ddf6549,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8508ffb0-8072-4ecc-b1e9-9a3698e957d4,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2baf240-bb15-4109-acec-1c89757e34bf,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d410d9-c686-4dbd-ba8a-8f59dc305baa,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7775ebeb-141a-494c-b77a-348501b21b8d,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19ab4d61-9a23-4a3c-821c-c1b22b0ac7ee,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bda184a6-5d9e-4e9a-9c8d-2bb22fffbf68,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,101c18fa-d628-4dd0-a3d6-fc8c81d34da3,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b93f9c5-5cf0-4ead-96c7-9f4568e6fdbf,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,542607ad-dda9-4050-bf97-c28bf2df3971,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e990621c-4c84-4ee0-a9a6-1c7164d61f74,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d2b87c5-745f-489f-9c72-328dd00338c8,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87d85327-46ab-4929-81bf-b890d204a72f,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b69314e-4c42-41fb-8dc7-ba478015e99a,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9423093-ef95-48c6-b749-2f06f7859636,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fef9379e-3f80-4f80-95a9-38330f035782,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a98848a-4009-4c7c-b8c3-15e93996d991,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aafeb806-7d96-4b18-bf1c-562b871b9509,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0995e93-4ff5-4250-a70e-81abddb4385c,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f96afc85-219c-49a3-86b8-02bc5caf69b3,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e790f67-2153-4ffd-b146-2eed43edc29a,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddb79a36-f6da-4568-a544-01bb006ec238,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b10d146-d836-44b1-b443-16abe2aa52ec,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0bf2284-81ce-4d4a-af24-b67d89315810,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d360de7-08c2-47bc-a4ee-58e4d2a70903,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dfa3755-50a8-4dcd-878b-4e0410311268,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8489d0f-ae3f-4434-85d2-44f00893ad03,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d78b10a2-8bff-422d-bbbd-5a8b8218338d,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e29e6de-8959-4e55-b040-8af10f87489e,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e6aab7-5fe5-4c6b-a743-5fffbf9b7347,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7e136e2-c93b-414a-97a3-ccccdf8b46af,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,185c9d8e-90ad-42d5-8b32-455ad7e2565e,"4/16/2021, 9:07:33.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140837fe-cf62-410d-84fe-a495707d81a7,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c9520b-8739-4b95-81a0-7d1c7c24250a,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9abd6a84-812b-4731-9b46-a27bd61f9228,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e0cb75a-979d-4c4a-ac9c-9242d05b0ad9,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ASP.NET,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c91ded97-0d3e-40d4-81b6-28d3d28f60e7,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dd9ba09-0b95-4e5d-9126-615dc2d0bd8c,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44ecfbcf-d308-474f-b2c3-5c76ac9e251e,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402d2cbb-7755-4ec3-8a4b-24c48bae6738,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89e76be9-25a7-4aad-bcc8-3fffd3a51974,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7060e49-7481-403e-bd6d-ec806f733674,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945ebf5e-bac0-408c-ae51-92f06dece95a,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b1d318f-bdbf-4adc-af47-6f16d2182e8f,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73e0418-06b7-4ccf-804a-8b7625c2d109,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bca0ba41-f740-4059-bb94-01269161f53f,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12baa323-0bde-4647-a610-2d8cd7f1ec91,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7892a4ed-40ac-457b-bbe1-a0438f77a000,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248585b8-0a31-4725-bec6-53d5d5e9d5f4,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f419ce8a-f996-42a1-88d3-d5378310f5fa,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78f4e58-9bd8-4493-ab34-e5703f69191a,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d152dafe-2d9b-4365-860c-963068a9deb9,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b87e1c-c668-498b-a04d-f623d06e5922,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce25e595-e3b8-47cb-9f81-2314f55ace75,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2061c585-7df8-4572-b484-bd1a5e4e7c16,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a33cea04-a198-4396-a6e8-6e7e2b5740f0,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37ccdb6a-8153-4b47-a5fe-45feea8a8438,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ef25cd-ede3-4f7c-a841-a503d406d5f1,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1ca345b-f8d0-4ad1-8cd5-f8ffab34284b,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e5b352-9e6b-4503-8667-732e78c35fc0,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83c1219e-b687-4af6-8089-464577294d30,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef43838-6b13-4285-80f9-817220cdff79,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c52f2fe2-ea2f-4c58-808d-4e014b094300,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bb41030-d307-4e4c-ad5c-c84a96270cb3,"4/16/2021, 8:59:28.437 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c8336ac-697f-4ca2-b66a-6e4639e4bc5a,"4/16/2021, 8:59:28.437 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0b512e23-cbe3-4487-af51-05f69ec97481,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ec0429f8-0004-4c68-bb63-808bea7ab8cf,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6919141-932f-4227-a6d8-5d567f68c778,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2516 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc1a07c3-2b0d-47a4-bcd4-67019b2848d1,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4516 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,079241c2-6c55-409d-bfdb-9fd198313196,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4796 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b29e0b4-5a5b-43eb-82fd-4e68e05b6977,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 76 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9f4d464e-cb79-4190-80c9-43ea6129276e,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6dbf2c1b-4258-4143-97b5-8edb621fcf3d,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,99a3bcb4-b829-4c99-a3d6-bb0764b11137,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9248e259-0a42-4390-895f-0771fc37feab,"4/16/2021, 8:59:28.437 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e94bfc3e-c775-4d8d-826c-6c3a25f61c30,"4/16/2021, 8:59:28.437 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dc9e9b3a-b967-463b-9215-caf5e757d546,"4/16/2021, 8:59:28.437 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5981073-c8ba-4055-9361-1084e5cd50d6,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d076855b-4b4d-40ad-838f-7adc565497df,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f02fbf0b-c253-4de1-9518-a42793f8e7e0,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81d9a801-e2bc-4b43-a930-6280f7979070,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00b58c42-2266-402f-9c67-a518d5910779,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de270a68-1b33-4b3a-b99e-6857ac77ffb8,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60fba593-e1e3-4f01-9d88-0e19124f9ee0,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a5112b8-7c49-41aa-95fd-74b721aa854b,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98c0ddda-0134-4fbb-ac75-01fccd1dc7d5,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2fdca3a-9132-403b-b967-6499a82cfc8f,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e372b95e-f8af-4ac8-ba6f-795c416fceec,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1e97b9c-d111-4586-9399-41ed1c905b7d,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d830545-e3d3-4362-afca-b400d5a08e69,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be1f1318-a410-446d-80b8-ad9ac90e1a1b,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c32ec6be-17ea-44f2-a2a8-9f049ef49033,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ebdef04-4ace-4e7f-9281-7aba66e48319,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2604d53e-5671-4e2a-a0be-0859648654a2,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76c5662e-2691-4d88-8fae-e813ed803a15,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66fc5439-9ac1-4e14-83c6-5a78a8596e27,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,33382f50-1ab7-40a2-a104-b90119c09dae,"4/16/2021, 8:56:20.120 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5fb055-3155-41ea-b60c-9c4da0560d74,"4/16/2021, 8:56:20.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3236 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa233e5-9ae5-421e-9ae9-2cc266c5dc58,"4/16/2021, 8:56:20.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4a2de22-cdb8-4d04-b6c1-b864770f26af,"4/16/2021, 8:56:20.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c65e94d3-04cc-4825-9e63-b7719f30b5ce,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4177c99b-27ff-4126-8c51-1b875d8335ee,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61c5aa25-9478-4808-8647-d482b57a7504,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b18877b-69db-4a40-90d1-7dab054f7671,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2408276-6bbd-4bcf-8e6c-a6b57e945460,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c71a607-280f-4e83-8d50-ecb35555b68c,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dee65187-bfc0-48c8-a7fc-5f87d1f28698,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41ed74f-c1df-4d2e-9b55-ad701c2404b5,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eff7fc2b-95dd-4109-9228-b33b509de343,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dd34f04-168d-40c7-aeb9-49a8d0ac17db,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4597f8a9-2e7c-43e5-b1e9-2416eb411954,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e8be1cf-8f37-4e0a-928e-0d2ad51792d9,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91ec634c-ffc1-4ae7-ae81-43a3434bc340,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41727422-40ec-449f-aa9b-7185a820d9e5,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebdf1d05-ad89-4f48-8eec-5c6f13a9ba17,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\VBHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e00b686-5f8e-4205-acef-d1754d5cd26f,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03b2d79c-e0f2-4e10-a265-6f5aafe66fde,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21507081-e88e-48f7-a6d2-31d07d356c89,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06ec3a8e-1bd8-43e4-8bb1-3a5b7a09baa6,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afa69eb5-5327-4a58-b472-52181668a275,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1471289-7c6e-4a68-acdd-fc2ac2cf7ec5,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad534f67-2274-48a7-8b07-21d48caf216f,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b3ecf5f-f66d-47da-9ba6-8b84e6f0cb76,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bab03e3f-4d1b-4c64-9f8b-3db639ed5038,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13175b5f-4ec9-4b49-8cd1-ff53cce75181,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0805e301-39f5-4b4f-87da-8dca7e4c9340,"4/16/2021, 9:07:36.087 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6efffa5e-3981-4a23-aa3a-ba9e283a2a45,"4/16/2021, 9:07:36.087 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,895344c5-d469-4634-989c-f099ae0bb470,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cf3b97f6-7eaa-4579-a9b9-ca39eaddff80,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ea63da92-896d-4458-a289-74a90beaff37,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd50dbd6-7527-412b-93a6-1b99a8b1ed4d,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,163a6bc9-1d48-46e0-a5d8-a6c40bb0a2e5,"4/16/2021, 9:07:36.087 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f32191d4-15da-425d-a161-ecec58daadcd,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7220 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,195e97e1-5b3a-4a54-bc99-61378e4566bc,"4/16/2021, 8:59:29.579 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,649af5e4-f1a0-4fe7-8847-ded439e1e0cb,"4/16/2021, 8:59:29.579 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,76c45036-5dec-44cc-ac58-37b4d5366504,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2116 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d038daf-4837-4e1c-963e-a554bbe2fe9c,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7240 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,997f42b3-3390-430b-8a24-ad25c23f73f4,"4/16/2021, 8:59:29.579 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,99897cc4-adcc-4a4c-aff0-9c01b8042d16,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11204 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1b799481-5ce7-4ecd-899e-e5c7dff42c6a,"4/16/2021, 8:59:29.579 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,157da3f6-f00e-4100-aceb-b09acb507a99,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b3b206c-8d4d-4130-9d72-6b54d67073a5,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f4f3df4-3872-417a-9e37-b31c42afa2bf,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95b8f8c1-90e0-40e2-baaf-93b3d952ff14,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a948727-8fcb-41b2-b3b7-00092a0a677d,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ab24664-390d-4172-81a3-539acab466a6,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd58616e-dbfc-4a40-8e47-a6e637d3bc46,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44bd6d5f-3c3a-4eac-b310-a9cb5439b839,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f2e8f30-c3e3-4559-b8f9-651d834c35f5,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca9f2f48-9ca7-49c4-ad69-500695f28f1b,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85929c88-3a4b-4ce0-9695-738e90f88eac,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2711ac46-184e-4269-91b5-96f444cf2421,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d226fae-45de-4b58-a7f2-529df539d10b,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a21cdcd-de8a-4e20-8661-049de7321fbb,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,237a6f47-b429-486f-ab8f-edac31b7ba0c,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3fa541d7-f2f8-483c-a2d9-3b4becdf41c2,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77686f3b-27d1-4370-ac29-4c325efb9ab5,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,662b52b8-808e-4200-9756-6ceb4f6ba0bc,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\HAKAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67f9f2ff-d3a8-484b-8ca0-53b74ec7f26b,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d19bf7f-35d7-4f44-b4ee-68fd88ac09ae,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd8f7de4-5cb1-4a03-b149-d9d6dd68371e,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90d4f925-93ff-4f98-bbc4-57c8c9e8601f,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8a99a33-9414-47c4-bdc2-3da5277ad26e,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95441066-14b3-495c-b1ae-820f43585f36,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c5e105f-70c3-43b7-88b3-63a1e8181350,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d927c51-9469-4537-a8d0-081ffcaac6cd,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c836a65-bba7-4f4d-97cb-1d74bf48f822,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a353d0c7-f88a-4bdf-8075-31ff11d77f5a,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92b39fcf-0cad-445b-9de1-98755ef0d8fd,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f45bfc84-c950-4b72-ae4d-96a909dd7af2,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eea78923-33ab-4970-a1a6-68c4a7e350a9,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18ebdd46-1f96-4fa1-b9b3-91a3310a4b02,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba390059-e653-4fad-9b13-99f4e3782744,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a5323ab-e48a-4ab6-9d6f-1b9fe06de46e,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb9c74d-6e27-490a-8d16-8695a4f74c7d,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,baeea932-e043-4ce7-bf70-8041f5d1e8db,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4463abfd-d4d6-480f-95c9-278fb45e843a,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b037b57-b0f6-470c-9c3f-ba598eab4116,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24bdfb49-1f08-4e67-9a4f-337f09659cb5,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2a0fc1a-793f-4f10-9812-195ea2b3ed6e,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9515da51-8f32-43b2-af67-2a5a507851a5,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8826086-4894-4a31-bb35-ffda588acbfc,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ee06c68-9179-427a-8ac8-ebba5f2dde86,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70aabc79-e0da-4b4d-8bc5-a63a41c61d05,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,99198fc6-68f4-4536-b163-8930ce037644,"4/16/2021, 8:56:37.417 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7676 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e50e3b5c-96e4-4929-9823-6a690507759e,"4/16/2021, 8:56:37.417 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7324 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cee5cf81-e2b9-4f2d-9004-406b87f9b5f7,"4/16/2021, 8:56:37.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37641846-c625-4944-a08f-52e4183388f2,"4/16/2021, 8:56:37.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fcd2a77c-c0ad-4289-a3e0-364c8ee63695,"4/16/2021, 8:56:37.417 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,13331718-0d84-4f53-89c7-273ab10867fe,"4/16/2021, 8:56:37.417 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ccb65165-817f-49b4-8fe0-e95e307bb8c0,"4/16/2021, 8:56:37.417 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf2b9c8a-3728-4d7e-a305-f40c2fdeb2a0,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b49bde-c959-4341-b33c-4a09b1810ef2,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87f59f78-c9cd-4901-aa08-ed1a1ee25d89,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21005aa6-63d4-4a4f-9a6b-a0a130442b58,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec5bc672-c50a-47aa-8d85-c6f0e0fee9c5,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c134f0f1-57e3-4e73-9d7a-24e137efeb5e,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6a8607-e85f-49ef-ad03-2f9e1437144a,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c47c47f-fc29-4703-a05d-8e0c344e2445,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f136e55-0e19-4b7f-9bd4-d5e61f1ddbf9,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6177d069-4439-42a4-8aba-61df2ba6da32,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dbab913-fa8f-46e1-99b6-74dad6e6144b,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1aa3812-e567-4d95-8abb-d46d1ceda077,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6623f0f4-6fe0-417a-99fe-c9e50a809aed,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33fd3626-582f-49e8-ba2a-cac9b5de24a4,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,084552c7-2f1b-495f-8f18-954e41a155b6,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df7e88a-60ad-48a9-96b7-ea99be609cd8,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eb25d0c-328e-4d57-a902-99f17f9f0243,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2f7631b-2868-41eb-bdef-7d075c7304c6,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,966c1ab7-3f30-4bba-954d-0dedfe6335f5,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6308cbb0-9834-4067-862b-d3cb62784020,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,529cbb8b-de2f-4755-a6cb-0352a620f8dc,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1d50e52-072a-4f61-a31b-cea2e2f72784,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,565a5eca-c7d5-425c-b67a-a16689acb4b0,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13db21db-0f47-4332-945f-3065d531796c,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,0f0e5cb2-194a-4573-b730-6ec2f2da2dd7,"4/16/2021, 8:59:31.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aacd6695-ee6f-4bce-ad27-8ee49cef752f,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9c3e6a-2ef2-4c09-9773-cd3ed739caca,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbace9d-d7ba-427f-b6f5-c629fdf9f288,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061218e8-6798-4e43-bf8e-bdb8cb6d5f5e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d84b3ce-522a-4bb6-ada6-97551b547490,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d706aa4d-2bb6-46eb-9ea6-32b9b21713fc,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXX,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,634ea411-fff3-4415-91b1-ff7b55c84f5f,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d6ee821-e3b1-4468-80c8-0378e417b07e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba95d8e-20a8-44b9-b047-6070ab053047,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXV,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aeaa8c5-a24e-4fb0-9edb-9be2855d3ec5,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d644d18-e448-41f0-b004-8fb4eb10c613,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf700e1-de07-485d-96c5-426a85879ea1,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9f5837-e5e4-48de-9445-853f88f9bb57,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb34440c-81fe-4ba2-a7bc-973d918d2138,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c4c4d3e-0e46-4ef2-896a-6402b4b0b0ed,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXY,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4033edb7-8cd9-44cb-8aab-d74eab008f4e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXW,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,305227ca-22bb-40d8-8234-054ea3baecf9,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62517bd3-0e83-4fd0-9cf8-d5e80adc656c,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58a7241-86a3-4844-8707-196dff9b01b0,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13d1fb38-6eaa-48c2-b0f9-0f83d5acba4b,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5469165f-5c59-4b72-b8ec-eb99bdc8dcc7,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e574d858-7e2f-4090-8ae8-59eb62265d93,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a13d0b93-2868-421a-987d-f5b4899db86d,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e067abd-78a9-4c9d-8088-f64731a1b9c0,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80304c51-b112-4e6a-bb46-f70acaaaf9f2,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3526c498-8c34-422e-a9fa-f3a48a3d0c8e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07dd5195-dfb7-43ee-86e0-e0b26144535b,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0d7e794-9404-4e56-9f61-58e96c279e16,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c2523aa-6efb-4142-98b3-4f7a6886fd97,"4/16/2021, 9:07:42.591 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11088 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c62632d6-1524-4e58-8bf3-67122ef3ea50,"4/16/2021, 9:07:42.591 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10504 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,41c0752e-49c3-42de-b1b5-b66577680dc5,"4/16/2021, 9:07:42.591 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11232 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4b44ae52-4f70-4efb-866e-d4f2a1b68789,"4/16/2021, 9:07:42.591 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,477fc59d-a263-4cb4-8adb-ff33896bf2f6,"4/16/2021, 9:07:42.591 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,37479de3-7ca1-4594-8ca9-169c734451cd,"4/16/2021, 9:07:42.591 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89f6c066-372a-4d13-80c5-b40d88d42b27,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9977baf2-2a7c-4513-8315-7a5cd526954d,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4079a6-792a-4579-b4a0-489fa77b1333,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aef30d9-4ce9-40be-99f5-b5ff61c056ab,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ee3614-1455-4514-9557-21d05da5d9f5,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26a90879-10a6-4da5-9c11-5906e1f01fe6,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,f922649b-69f9-47d1-b1b9-186675e0e88f,"4/16/2021, 8:56:37.111 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a283e81f-9d4c-4cb3-af82-b926ae44127f,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12d3954a-2425-4a84-a3af-2be2f5220e16,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a60eb52-f3f3-4427-a750-3e8e31fe1310,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09d87a15-5e0c-46d1-b993-74bb5fd26289,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1385ba-8788-46cd-ad9c-f409fa9ba9c2,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b87483d-8471-430b-aa49-fa7a22d97b4a,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,569fb0f9-c76b-4c8b-bdd2-762ebc53b712,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,500232c6-34d1-44d2-ba2b-72ad3503b242,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7312b3de-a167-4d74-9dd4-0d860387b884,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,866d7e81-5fb7-4262-9afa-121719bb4879,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b69ccf8-a6b1-4b80-8261-0e3281ce52fc,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde03030-7939-4968-afa6-0ef4ea370238,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b645d82a-4f11-4289-bf37-7f63bce7b934,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cc63a66-b43e-4608-b330-77fe34d8a1b8,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ac899c1-5367-4e61-9fc3-975a7e36a8c7,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35b89567-642a-4c6e-8f14-f8717b53edfd,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c50f491-eaf8-40a8-aded-e21e8949a6ad,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ceba2e2-f752-4b1c-bfc5-0230b245b511,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eefb9c4-628d-4b50-a958-e9693d052134,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c53ef4a1-3ec0-462c-a729-8799d017462f,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8ee7c39-372f-4dfb-b909-178a7e3dc9f4,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a780d8cf-9f8f-4cb9-bb0f-d0233db2cdd4,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dca9ad23-8a87-4953-81fb-ec1f0ad363c6,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40816169-a7f2-4253-b4fc-24923ced9066,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f98abd0d-4830-470d-a81a-21e8e9f2df78,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d2b01f-2f8b-4f7a-b5f9-dc02a9405c6a,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,075b0ce9-c582-4c6f-a215-fca3c6672729,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ddea0c4-48b6-424d-bded-fadc1b5bd85f,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,703a611f-f7fe-4a03-a0c2-3fa8d72c2584,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a33ef6c4-1472-4e99-b340-4c36280c6e64,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ca7c55-aa3e-4265-93c9-5d9c31b589e9,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b4003d6-0828-4227-b0c8-ed1782b04558,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cb6ef0d-c161-4706-b337-ddd71b43311a,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52961c81-d874-4d58-86df-dd7282f5ef0d,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2a24b89-6806-4ad1-ab21-e2772ca6f11a,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96cd97c-8542-4b80-9e2e-1712b74db170,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf6defcd-7747-4aa5-9662-a8bc96f291f6,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf314c91-a1d0-42e2-8a79-23928025a9ad,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37416aab-c5eb-459d-a15a-512feab83253,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ea3f1f7-652d-4078-84a1-7a85a4e3e15e,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee6040af-0983-4095-90b3-750062cef671,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,be920414-715b-4ddb-a551-ff291210a22a,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,959d44c3-f68b-4ad7-8256-1abc957a80cf,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,57f13f62-0089-4c62-9b85-1c0ce622f454,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,9261ab02-4815-4a31-b1e3-3dbf9aefd285,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,74dc1dec-0a92-4eea-8a23-66741629f2a3,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb2e3c04-2590-4239-9f32-23e19f6dc577,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4744303f-a0ca-44e6-80ea-c1cee7f227fb,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0a32d54-69e9-46f5-94d5-91541df74c2b,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,455f478d-97f2-4a28-8ce2-77d94936bfdc,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f5abb84-5274-4fa4-8574-d202fa3f944a,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,86b6d670-d9f6-4e84-b478-9f36b050a160,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a24683c-f7d9-4e9b-86e4-5db363103057,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3a543fb-fdb5-41a0-8c62-27688d11ae16,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a8daf12-1a7b-4f02-be80-abf9bc588e77,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,46cf7f68-f733-466f-b6da-835998af3b9d,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e22de24-d512-4b2f-ac9c-f5c7bad02505,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ffded22-45d9-4fbc-a3a6-d6c49959a70f,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d0c6a56-ca8f-4f41-b96b-f4c5d1a1530c,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f586ba-2e03-4579-bfcd-8cfa4352ed8d,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,d827c1db-2c31-41bb-bc1b-86c20653ead6,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fd4534-5a10-4b5f-af35-47bf97a02e15,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e292a54-45c5-40dc-b746-b7a4570654ae,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59ef7bc-3348-4f26-8630-e480090e65a6,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c3bc8d2-576a-4f33-94f9-af0f22d22c3a,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7fd534f-76ce-48c7-bd35-ab0cf73edc3a,"4/16/2021, 8:56:42.137 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7601a69-c0aa-49ac-baa9-987cc963b4d6,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdaa0723-c29a-46c5-9105-a61f144096b7,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6608 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,38738561-17c2-4405-9c83-47bf43431024,"4/16/2021, 8:56:42.137 AM",,,,,,, +\BOSS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f8da7e6-2046-4857-b443-282ad6ef1f92,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\WINNER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f42eb72f-eea4-4012-a2f5-6195ae29a71f,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\WAREHOUSE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7c6201a-1c0b-4573-b108-7aad18ebc8f3,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25ec6dee-6c4c-4b94-ad9f-256df2da1e30,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6855c3f5-d2ff-4dff-b7b2-436e89550dad,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d86d78e5-9613-48e5-abf0-4afaa8ae3980,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4152427f-5323-4052-ac3e-4243a464e7a9,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8aba48-ea9f-456d-a1fc-06d29c4a8259,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\DXZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a79a76ec-97e4-4494-85e9-be83895ccdb0,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19224b4f-3786-479f-9030-a65d8f0a2083,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f313adf1-56d9-4045-8154-dd7cf8e9d5a3,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c982e1c5-ba5e-4363-8e49-2b6f46ba05e3,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be783218-56b6-4303-bc12-3f85c44b72f5,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73708c1b-d018-492e-a598-f9b3f76c2937,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c64ee707-8968-410a-bb21-b49eebb82c97,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f636941e-819c-494f-af30-c28893ea9229,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,722b3578-3050-49a7-96bc-62fb5ca386aa,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\CJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbc145a2-dbc7-429e-b665-041a009d69f2,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2004d7c2-29e4-4268-8cf2-e177bfcecdc0,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea45d5ff-cdc8-46db-b5b8-42c37a2c9bbd,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53bb833f-8770-45ae-8bc5-0c5557da9c60,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b16926-3976-40ba-9bdb-82116efbbaec,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea8d1ed3-1118-41c6-af53-607bbf78916f,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df348598-4cb2-4679-a9f6-c4493ac77261,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3678c429-f582-48a8-8ab7-17f6f1e87cd4,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b30e0ca6-5006-4476-9215-2d9ce7d4a5ad,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,68eba114-96e5-47e7-af4c-a49787451e99,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,572b715a-400c-4696-acd6-e1bc4e0240e3,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6d8b4771-53c6-4b2b-9483-9e8e758fa24e,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,391d0043-9710-4a53-a4a1-8f84220f91c6,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8963e9b0-9881-4670-9505-03b7d95cb285,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6a231d2b-365b-4119-bfbd-78231904dd95,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fcd1b8c3-4bf0-440d-9b63-4c102d41aeb9,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1e751933-62f9-4f5a-a380-ca68e1613957,"4/16/2021, 8:59:36.053 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38b9e1e7-08de-4250-b285-289d36072412,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8611361e-b38e-4dc8-8ff2-e61604007fd8,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e15105cb-56b6-4189-b230-e48dc4afd8f5,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8da13f24-8fd5-4463-b397-42de08f10def,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc6c0e9d-38b0-4730-9df4-88c84e45f0b4,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f320ede3-7a16-4005-ba6a-514d25aa0088,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43a063f-5a14-4d0f-a8ee-a0339027ab7d,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02c8d300-ffd3-4fdd-b407-a3ae1e9c5d5c,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a44a842-cff3-4e8c-b72f-1e8f4032f1a7,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d734024b-f44a-4bed-9526-f381b5b26bea,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dfbd3d9-903f-445c-b8ba-f6d19d25a73a,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be5f865c-183e-4cbc-8ce5-49d6b87204f9,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\WPSERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9534c7b7-7309-4ad9-adcb-883a88793b65,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f586bd5e-9dad-4ad7-991e-957283d3d9ad,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2ec819c-d864-46b1-8e7d-b149ea3e5cf2,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42c5520f-b78f-4dbc-8894-036a97e09c72,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97b0d97f-1d51-4831-9203-a9b190253320,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e141758-59bc-406c-b916-e4e11621575c,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ea5c12-87b8-499e-9bae-37463d35f242,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5de142bb-6591-4916-947b-0e379633feca,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66b9771-71cb-482f-abf8-89d55e3acc18,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba520787-4954-4f2d-a925-283434c38498,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f194ee3f-3e79-423b-a3f0-23a5b1cbf558,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54c97e00-136f-46e9-9531-58463b66ca44,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535a371a-829e-4124-bb70-0bcafdf8c624,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c271365-c333-4858-80bc-e47f5e332ef9,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7778181c-c1b3-4dc5-a3f0-29df1253d464,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04b2edc3-dd90-4bd0-be3f-7cfeed4fac08,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa5ba92-8cc6-4ff8-9c10-38c6e31b8689,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c203e6d-7817-4866-a3f9-97af5b78b3fd,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e85f3f5c-e872-4437-b5dc-4c25ebee4dd4,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97a4069c-c776-4461-8088-2158188da7a9,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d528e65d-58d7-46cc-a8f4-8b78ce0db61b,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed19c16-8d2f-43f2-9190-1028605a9a29,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00084960-a505-4d67-97be-7b879d187f36,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,475bfe8a-6a28-4726-8239-6a87011c2017,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4f9bd02-5f77-4358-868a-c5992f6cc36f,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b984fd-2069-4357-8dbb-81ce9f5daa73,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d652f1f-aff3-420c-932f-83f5b4de7c8d,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a68efd9-9444-4816-b6ed-b8234579488d,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cca6f27-f92f-4812-91f4-0e5ab7424456,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f50d8be8-763c-46d5-913f-faa1025ab159,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033b1ec0-6abb-4d92-8631-f1f9b37a2c73,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1498f85-cf4d-4c47-9ebc-366a8df59dc7,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f71f5806-d507-48b1-834d-b9f1a2883c00,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73da50ad-5399-44e0-8f1d-846bdf82b9fe,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,bc1cb4d9-1a6e-45d0-9c1e-d31b6844c3f3,"4/16/2021, 8:59:44.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b278f2a-85a5-4f1c-83cb-bc461c02d349,"4/16/2021, 8:59:44.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d8deaa9a-7ef9-45cb-a2c8-91f95525ec3e,"4/16/2021, 8:59:44.862 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0021b3ca-2e52-43e8-9018-1ad549574599,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fa5148c-5aca-43e5-94c9-0aef4388811c,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,293c11b1-e637-4c4c-af7e-34fbbb306016,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88a35a66-0f04-484c-9b23-b6c72927e928,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e7c5111-5ff3-44a6-bde4-94ba41f6c95e,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6fc15d9-02d3-43c7-bf20-379ca96eb8b5,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1635bd59-ac76-45f6-853e-61bdf6ddd25e,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ccaf2c-6b4d-409c-abcf-7207b8d261e4,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c1cc813-dd3a-4e40-aa14-67c8f3cb88e7,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e22d1ef4-70f8-41fa-8821-32a1d258343f,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04448cea-2582-4d3c-9b41-6d48ef43f5f8,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51af0cde-7348-4abb-bfe5-6cd29abad598,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00bf517d-9400-4d9e-a6b1-8b408d3c940b,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63f56905-0e17-4a07-9729-93ba621b13b6,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,939574a0-f51f-40b6-a947-d8d2b59d3ecf,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,057e2e6d-870f-4431-ad33-194db769544a,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24415295-a7c4-437d-b6d5-6fb063fc162c,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08d13609-cafd-420a-8182-f762a9014713,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cebd6a7-d08f-4956-bb9a-04b953230e32,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0a9087-e7a4-47a3-b5c7-983b4f1d722d,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90182919-55e8-4ac0-83ea-9d1b4a1d431c,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbcda7d4-32c1-49b6-a36e-3d0799016894,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9420d837-3de9-4964-86f0-92e79491a700,"4/16/2021, 8:56:49.259 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5164 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,eb9f6f22-d818-4236-a97b-d2d52bbd1dd3,"4/16/2021, 8:56:49.259 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6640 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e4ded2cd-c743-4648-a362-3d00d96bd95a,"4/16/2021, 9:07:50.470 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a67a6b2f-2569-4e3b-8182-714cc996b43b,"4/16/2021, 9:07:50.470 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,25e2a20a-5279-4e56-95e3-d9d831eb653a,"4/16/2021, 8:57:02.615 AM","%%5649 ",0x2,-,-,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5694aa27-53aa-44a5-98fe-1798b685331b,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7364 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3262e057-f440-4d53-bf68-49be878d352c,"4/16/2021, 8:57:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7fdf260d-907a-4cc6-9596-930c8d4d8bf7,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae06c8ef-a86d-49a1-b102-053dcc9748f6,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7176 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0229dbc3-4e83-4557-b6fc-a7c723fdafc5,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e2a08810-4c36-4954-aeb0-7f033a01c06b,"4/16/2021, 8:57:02.615 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,8f171b62-0d3b-4cd9-9bbc-d361adb37e2a,"4/16/2021, 8:57:02.615 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a74045ed-3dff-4cd3-9118-6c4c226443df,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12837716-ab31-4754-b09f-dfda69c87f46,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7951e655-b8d7-492d-a24b-07dfe78eb93d,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73290091-8d87-4256-9473-119b871f039f,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5004db4c-4eae-4cdc-845a-7461b4d1ab72,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2975d4b4-4ee9-45c8-95f7-85086b06938e,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2059bfd-6096-472e-8530-0563cb500f21,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a378d271-7114-4eec-b15d-d3183ddd4abd,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26643681-ba01-405f-a153-ce5e1f99a848,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62c0211d-f995-4738-ac18-970141fcf7b2,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c66ccff-2e3a-470b-ac96-4396a2f0bbd3,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed8a0068-567a-4929-bcf7-72511337367a,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c95ea11-3b17-488a-ba18-d2283758d5cf,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21534871-1088-46e1-8939-b02434a04fa5,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f4b2912-adf2-4e86-9f57-b13726848044,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a6935de-6871-4888-8165-430182b58e5f,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ccb78de-641c-4bc7-9c95-26deb8df6aaa,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3758ce0c-a57c-48fb-8726-7dde577f0a49,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e3af52f-92f0-4f2d-b4c3-c9d310805efd,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b56730ee-4313-4c7f-b864-d8007de46605,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cecfd111-f9be-49c6-aa3b-6629c16f8340,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2f1fab5-4a21-40bf-b768-825abadbb385,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6388 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,10681a56-cbd2-4e9f-959a-2e24f251ceb4,"4/16/2021, 8:59:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6580 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fdfb5fe5-9068-4e55-991b-2834c595db00,"4/16/2021, 8:59:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3920 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,659431e0-04a3-4b87-b734-86a2c2d2ef90,"4/16/2021, 9:07:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39b78b26-5ff1-4ae1-8c30-12b9b04fd756,"4/16/2021, 9:07:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,55be2419-d579-4c00-8ecd-4094f4865aea,"4/16/2021, 9:07:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e0396774-23a8-4a67-8868-1f03d9fac319,"4/16/2021, 9:07:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7151780f-959b-4335-8e8f-3f5de386050d,"4/16/2021, 9:07:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d735b68e-fb98-41b3-aeeb-8bb0d8d3fc45,"4/16/2021, 9:07:52.740 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf6bd95-4335-443d-9e03-1c6cab22d322,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,336cbfdd-721a-4f40-8293-fa74c8008a99,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59b64dd-024c-49a3-aebc-c4f8b30a9013,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b25cb63-adb4-436f-be45-0a754361d1f8,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c2bc5c-e231-4a0a-ba7b-39cc79034d66,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeae3472-f1da-498b-a0b7-9cd189072f1a,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,826ce687-0e7f-44f2-8dbd-9c796782c588,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fee9d44-852e-406b-a913-287a8917c8bc,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d6f0105-71bb-4292-984e-4e0583877ba8,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe103609-6f13-4e19-aaff-cc2d8b640625,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5072e40d-4ee7-492e-8e83-288784f86017,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beae9397-eae4-49e8-8112-85cc76358bcd,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d53bb8-9a0b-47ae-83a8-bdb882a50046,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f486f622-dbfd-4439-a65b-d31e4ca0726a,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f68872b-de46-4a17-9367-6c17e351fa26,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f2d303-5252-4ada-bb77-95d16adba595,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,838385fb-28df-4bb8-9407-46aa4f00e918,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d06f86-a4ff-4e8f-80ec-866d95f22050,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b2c262-840d-446d-999b-30c6bf4403cd,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c105fd96-84ac-4c3f-b987-b6d0b88c1d70,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae5bb49-d4f8-4bbd-ab89-b8bd6a53a0e6,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ef37ef-df41-4f2d-a9ac-dca265aba593,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\RECEPTION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d254919-ce55-4c40-a243-0d216d35a7c5,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a3e57f19-0fd8-48e2-9e29-c42bf57f4fee,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\GAST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8db25130-5d3e-4270-9cb3-cc88ee095f0c,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\REMOTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fcdf42ea-28c7-4e26-b30d-42775c9a411b,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f9a318ea-a5d0-45f3-a33e-6c66b52644dc,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\SUPPORT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,833cbf6c-e62d-460e-91ab-ea3c4d1884f3,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f40cf845-2692-4015-8d27-d176b956cd83,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0ab7725-9735-466c-9a3b-27bd38f574c3,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef52422-0e78-45c6-89db-d4064446808d,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aee626c-e9f5-4a57-82c0-10d416df467e,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ee4a83d-eb3b-4aec-89f7-95836e0c347a,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b617cc17-edd6-4307-9bb8-0e7920922321,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4bc0124-c592-41e3-bc89-ce7abf4eb3f0,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b281153-8600-448a-8c86-285cc9338f5b,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72a86f28-b5a9-44d1-96b7-7d8f7f266673,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,201457b8-0b60-4c2f-aa56-1b7bb7227cf4,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56670dda-59a8-48e0-a959-9b1b60dc01e3,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af852025-c552-43cb-9ffb-05a088dc63b2,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\JOKER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c7a8c47-2a65-4c99-9df7-faeee710e630,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ea9dffd-0f67-4734-acad-9fe108da0ae2,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3acf63ae-a954-4416-90db-62c3f68aa3ef,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6054b6c-44ee-44ec-b794-736b873330f8,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae695ef-c23d-4204-bfff-100eb9b6b71a,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed2e8483-6aa2-41cc-b738-5ad8d300b75f,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a4c0953-7599-4737-ab0e-005b8808077d,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c38717e-bdcc-4bbc-9c20-d7a0f69a7689,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e535ec1c-0a8b-4803-8415-2eefc03683ea,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,955ed35d-9136-429f-815d-af2c815b1198,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc125f4-ee25-4b05-8c9f-12b3568511a9,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b854027-5f42-412c-b7f4-655a41955e4c,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,72fb80ad-d3a4-4ffb-9042-cae52f8d3777,"4/16/2021, 8:59:52.735 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5624 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bee5ab0e-637e-4564-a0be-1f793b796cec,"4/16/2021, 8:59:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f98e32b7-7df3-4232-9b24-3852ac75409b,"4/16/2021, 8:59:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1978a429-bf2a-4619-8a9c-9b317467ac68,"4/16/2021, 8:59:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a9344c52-f8c4-4e68-8ba6-8a036979910b,"4/16/2021, 8:59:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4f7d3b0e-da2d-48bb-b41e-7e7f8e8df5aa,"4/16/2021, 8:59:52.735 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6abde4f2-0ebd-4ce9-a906-ff2875106bd9,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a19ccd0-9eef-47b3-924d-d4b780f3c27b,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a89a443a-5406-4bce-82f0-7d143b4429a9,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a60c8a6e-3962-4ae2-a127-8d93514d4fb8,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bce6d278-6f1c-4383-8259-e350a3dc0e38,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a6344e1-ecce-4dbe-8ef6-e6217c9aa80c,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fd43e82-9a93-426f-a286-bbe6cde5eee5,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49684f1a-a9bd-4270-aecb-135e5e8c8a4c,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f5758e-d128-4846-984c-3bdb3c1f5f02,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd4cdb00-2442-4f67-a6e6-dde9fe10936a,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cedf4ff-5d69-46ca-b671-604b777d1bee,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddba0dca-3e84-4da7-85f7-c140c7fb4021,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcf02e41-9446-4f9a-9746-2bfbd721273d,"4/16/2021, 8:59:59.654 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0031d71-1279-44c7-87c5-8a3a4e269669,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15a64a00-072b-4877-9292-3fe4e801d7d5,"4/16/2021, 8:59:59.654 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ca91da6-a727-4c8e-96bd-b290ecaf45fa,"4/16/2021, 8:59:59.654 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04a9cee8-5df1-41c6-8c0e-7ec89fbf0f46,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52a73e8a-e1ca-4eea-852a-87fa74d1692b,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95a3ae14-2ada-42aa-ab1c-8fac79c038ef,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d10b838f-402e-4427-a00c-bd736b7f3b0a,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3f56946-9d94-45b7-a6da-ca07deb5a581,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fd2ff98-33b3-420e-ad3c-b364dd33d95b,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2111839-6c9c-455c-9bad-dba7ca507605,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c66f0d3-6641-4674-bbf3-5b6c83eb22a9,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fef33ce-0452-4881-bf89-7e9c9b3b772b,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a68728c1-2b2b-4b73-a972-63225ce8dcfb,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1203879c-ca3a-405b-ab8f-1328e33c5985,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e8ed3b-be53-4712-9f79-21d2a6b41bdf,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,646014d2-4830-4186-9659-60c07b2b10bd,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a2f649e-7ce0-40b3-8ac0-d4c1da508dc4,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e987195a-1a51-4672-89f0-fff624ddb515,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a6cdb3-3771-43e4-93f8-02edc58a013f,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1cae5e3-c822-495a-929a-324d50858eca,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebfea31b-ed6f-4752-a069-830694ed6e64,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3de26fb1-84d4-463b-b20a-2eb51eeb1900,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d559546-399e-4853-a278-96399d3d5954,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d53a279-b7ef-4c5a-ae67-ff1d876caec6,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa95907c-a8fe-4ee0-8d0a-106ccfa77646,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f428fb0-7999-448f-b3c9-d9c682bc9534,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e270aaca-0e20-4744-8d23-9f2877f46f1d,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d3456b-6f6d-40cf-b688-2bb555017de2,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2133faa1-d28d-4f09-9f5c-56b9543daf8b,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a08d897-f5ad-4932-9272-0744aa77ad79,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c75553a3-77f8-497c-b0d8-dfccab599361,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e941889-0c94-47ba-bf02-bab8c9586fbb,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\OVV,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c89a6ee-052a-4a51-8457-22fb4d5d9b73,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,30d5ea7e-7522-43aa-a812-64779fcdefe0,"4/16/2021, 9:00:06.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8584 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,08522d5a-6e1b-4340-bddc-391271da4a57,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8afd9d21-2e22-4289-b3c2-f86096704f04,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2b2cf326-a487-4be7-924a-9f2f86b561fc,"4/16/2021, 9:00:06.573 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2a4b21f1-bbe8-4ad0-8e5f-82bd6f31f67b,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a56bb81f-d1ac-43c3-8978-abcc26b7977d,"4/16/2021, 9:00:06.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6828 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c339c87-ce31-463c-9ce4-faab1532554b,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,55b6619f-605e-4dab-86fe-7d8f0f693c5f,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,a795babf-4053-42e1-a4de-ff7d21b2b59f,"4/16/2021, 9:00:06.573 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x41319aa + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,148f2ced-1531-40a1-9155-b1bec7682e73,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,cef80cd1-b542-4840-8121-cf321d069d91,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,a18ecd1a-7ea0-4143-9b7d-c5160a9cea77,"4/16/2021, 9:00:06.573 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,238abea4-70fa-4f8f-b4c9-7c9984c2442a,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,71164bc4-70fc-4c89-88f6-775a65f47933,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,be5ce03f-2d59-48e4-bb2a-fe1510fd63b5,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5966e049-77a9-4859-a06a-0d2ffdcb9253,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3842c691-97da-428f-ab70-e70dc6fb977b,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,21cdeaef-4ea2-4348-9ba8-4d769bc4526a,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,79ffa15e-037b-4ee3-acc8-af556da51fec,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16a17cb5-a3be-445d-8a4e-3c084877c0f0,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd2e9c71-24da-4d41-a3fd-a73e44fcecb9,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,04988e48-4b59-46fc-acce-afce39514548,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e1c6d376-d578-4f5a-b03a-41cd0f726c99,"4/16/2021, 8:57:16.056 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cec1b93-a038-4ec8-a2b0-dab20f6e6cf3,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8b17e2a-5ce5-4cd4-8437-e668f409b4bf,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb0f713-ae94-4a15-8fb7-c21e0e50f21f,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38795b75-655c-4e70-81ad-3140094cbf14,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6723e0c3-8a2d-4c13-a46a-760174ea3c0e,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97bbda88-ae38-4c78-b44a-ca77d9032e39,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49cbd55a-c66b-4955-b03a-d015f2858cc8,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63685f09-70db-4bdd-b7c2-7146eb06638d,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1795073-af60-4982-a964-6ce29b5ba649,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e65653b-9cd9-43a9-92d8-c352f46f06fc,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea12d59c-bd61-4ca0-bba8-6a2315c0fb27,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ab6a322-4977-4f5a-a8ef-e262a22c494e,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dba690d5-fcf2-432b-87c0-f2ddc990d697,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2144cde8-2dad-4aad-b47f-f78e247b0fde,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2faef6f-5dea-4b83-975e-89b65eb52b0f,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0060f02-caa7-454c-b0a3-c6e9eb76b95a,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ab77d5b-8f0a-4e49-8ba6-d75730f2e65c,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,890f5ebe-fd85-437a-8e96-4ee17823b17e,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf5ce306-7a82-4824-b40e-0c7059f134c1,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,271838b5-f210-4f2b-a1ee-5c0a239789c3,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\SVC_ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,933a864c-798f-418d-a3e8-c5dc4df7babe,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53f0be55-582f-44a9-ac22-c40b0815be40,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd929d6a-3fcf-4cb4-83c2-6f6e7ed7c45d,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4c52cb6-d4ed-45be-a101-c170543dbbd0,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3336e4e7-0fec-4772-b304-1fa67e6ec22b,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7720 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f5c170b-4dd3-4971-b8ce-de15bc173aeb,"4/16/2021, 8:57:23.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7196 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c8eec6c7-db91-4c59-b6e7-830002eb0fcc,"4/16/2021, 8:57:23.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b7b0280-47ad-443f-a8da-211529fcd05c,"4/16/2021, 8:57:23.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,164547d9-0ac6-4980-9911-3de7d9a6b8d6,"4/16/2021, 8:57:23.409 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b73c2a46-57bb-4ade-bcaf-705bceee677b,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ecd0fd96-8255-419f-9b38-6e3edb9d75b9,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bd41c02c-d22d-419b-95a6-03db3b5ca07e,"4/16/2021, 8:57:23.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11236 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,79d81e99-fa16-4662-96e8-3b9fc0fe8f5f,"4/16/2021, 8:57:49.262 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cd8888e4-8573-436f-96b7-e17e625c5715,"4/16/2021, 8:57:49.262 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,719aa257-cfe4-4176-95df-7bbbc56fdbf2,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,407fdda2-6600-48b5-8232-904a00a00cfb,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14a32749-c0b5-414a-8bb3-d7ddd76ed26a,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efc2e659-cda7-4ce1-86d1-2736aa7c5c0d,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3eb4afbd-5a39-47e4-9059-fe7fdbb45406,"4/16/2021, 9:00:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5462db42-a76a-4561-b911-a39e58fe19af,"4/16/2021, 9:00:08.056 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,178a98fb-cabc-4a52-8295-dc08ef341ab8,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28b5b7ee-3bd8-45b1-94a2-0fe1f118b1b9,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffa78962-70b5-423b-932c-7e75ee625026,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2de293fb-55d3-48c9-8397-f8739da970a8,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dee9743-1d9a-4e2e-a0ca-eea2455c6b45,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e594af80-efd5-4949-acc4-f4d6b86dee58,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a03353f2-ad90-4393-a678-674f9e98efef,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9ca5677-2243-437d-8734-d1076790f708,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c67b67aa-7532-4dd5-921f-9f8c8f63d56e,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4066aea6-2995-4cb0-aac2-fde0507cde1d,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af68b4eb-bdd6-44a6-bf3e-ad50dcaf8c24,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd641928-1ac1-4a05-9b45-51f88976fe38,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd88e4d0-cf81-4648-b434-11d34871580f,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,035e317b-946a-4724-8125-4a25a7799fd2,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5126e050-30cd-467c-b3c6-da389eb88047,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a2a7e24-52a6-47e6-a361-1b2852fa18d2,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9592d5d6-2113-4b25-9e4e-bfd3c68a77d9,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89abb1d7-3bb2-4438-895d-30848932aeb5,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9af6a4d6-cec5-44d1-bb91-1eff1a31e155,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2655829-f991-462f-82d4-df4fd99649cb,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc9cb9df-47c6-4e5a-a00e-fb7bf79c41cd,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77fe2519-dab9-412a-875f-21620600c469,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e089e19a-af60-4295-9157-6b33e31c13f6,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f76b97d1-5e1a-4196-b6e8-874db76d1196,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a593314e-0033-498f-b645-3344e72497c4,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cc9adabc-08bf-4be5-8e00-4f93852d1dc6,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9529ca1f-8878-4b94-84a1-ed5e2cf1913b,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7414b8d8-325c-4d94-80f3-359369402097,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cedcc933-9f88-4965-8651-5564f92de394,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fe63e720-5fc3-480f-8ac5-44b75e8dc23a,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c5a82ff8-9f95-4e7c-be90-e2bbe6306477,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,185052a7-ff03-4c92-bacc-e3a18d422c7d,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c1a40f0c-838b-4cd9-bd07-6b0cfa8973de,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0bf88bbe-021e-4713-a3b8-658c986adb9b,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fcc7dea5-75aa-49ee-a014-1290c08fa230,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,734aa14b-42a8-4a30-86e3-f0da8a3dbdf5,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,22e46880-7e5a-43d9-9998-6917bf579286,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dd7d2656-82b9-41f2-a5af-c60cdb7a469b,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,21a7dcae-3164-4ec0-98b6-1208859ca98e,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,219c60bd-d227-4b3a-9cff-c03e40c49299,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ef83804a-447c-4610-bb76-be282cdb58a9,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6c333437-eb78-411c-a5c0-106b675dcf7a,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e851f91d-71d8-48da-a243-aa389be048cc,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,456f49ac-659e-4b47-adfa-7a85d37727e6,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3e621954-49f5-4138-b84d-6f29ea6f807f,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a6e62e45-4f66-4bea-bd35-8afbd8da868e,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,03a5f0c7-d219-41b3-97a0-1be6d2f1b077,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a7500056-d296-40c5-9348-88a33971efbd,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3a4b1647-ae7c-4b71-a5d9-2db4d041c869,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5637ca70-930a-4148-b4f6-f2a9d209df27,"4/16/2021, 8:58:08.869 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a807070d-d7d7-4865-b773-79b95ca6ccb9,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2617aca5-9042-4cc8-b592-163e93499900,"4/16/2021, 8:58:08.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cede5ef6-17ae-4140-ab93-a182e06e9f25,"4/16/2021, 8:58:08.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,532ef3d0-f3a0-4c0f-bb49-aa7ef69605e9,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14784 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d45ae8a1-7823-43ff-845c-b3a8fa5f9438,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7152 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ac59315d-9244-4770-8603-8d1203d0aac3,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9128 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dd3fd4ed-6e60-407b-8411-c573f42af3c2,"4/16/2021, 8:58:08.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,712cbbcf-e8a2-4bb2-8172-d4cad8c57102,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7072 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,81007db1-9684-41a9-a910-d66f2a9802a0,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 432 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f5d14867-bc4c-4898-b939-70557e34828e,"4/16/2021, 9:00:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6968 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6c114bae-9ee2-4c94-9b68-e488aa07e98f,"4/16/2021, 9:00:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d9667ab2-dc43-436e-9ffc-7eaa7af42d15,"4/16/2021, 9:00:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5e24dada-c132-4d29-8427-c3a6854a6d8b,"4/16/2021, 9:00:09.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e03693a0-0c8d-4966-b140-d290b887abb1,"4/16/2021, 9:00:09.896 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b5be308a-5c40-4af5-af10-3672f7eba1c5,"4/16/2021, 9:00:11.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7836 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5015704-99b3-4b2e-88f5-75a7db306582,"4/16/2021, 9:00:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ddcd469-10a8-4b73-9d9f-3f109ddc5ae5,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,106da910-210a-4888-85a3-5c725f3f8d97,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2ea8689-16db-4f8d-a110-da7a62c57a02,"4/16/2021, 9:00:11.411 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e0ae7d2-7e07-428b-abd8-aab0271763dd,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20f0c64-20e8-46c9-9604-24e1f5dab2a1,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ee744f1-d2e3-454d-adb5-4d81a826bf96,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0e6c6ea-f2e1-4f5c-a5c1-55fcbbb6f0bb,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,81c5f917-3ebc-4e7e-b1ed-b1a9fc558295,"4/16/2021, 8:58:24.124 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,69632fcb-37e5-4b56-b295-77b3547a95a9,"4/16/2021, 8:58:24.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6278bc22-6c55-4a5e-a196-a031350820d1,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f626a7c-da50-497d-9add-bba56a5be2bd,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1016 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,de064312-5a2e-4974-8a44-6e39fc93fd72,"4/16/2021, 8:58:24.124 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,53004b96-ebfa-4e69-9014-a03026b551bf,"4/16/2021, 8:58:24.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a2b57b7-3236-494a-8154-cd297c0bb7f8,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6e9cafe-bd50-4380-8b7e-5665f311c98b,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,780b6718-4728-4683-8b9a-c30331aad8dc,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,022322d5-8018-4052-9096-c88cb25a14c0,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19bcf840-8e25-4708-be7f-bf7a30209b96,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,515bad54-b78e-41f0-b5fa-c26523da8356,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a46e5725-089f-468a-aa28-b994b0c9889e,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0669d037-0976-44d1-9da6-e29a74bde6a8,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db77781c-8a76-4235-8649-53692ecd9f82,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a38b0e1-45ad-42a4-aa66-d7d10970eba6,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7579e99c-6bb8-4430-a76d-169683771496,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0539eab7-8955-4c7e-826a-6e910bf46f5f,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72bde181-f9a7-4a42-b1ac-9912b6a0ba8a,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beb9c1c6-413a-47c9-a380-5f8406687e0e,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5a00edf2-12d5-4ee7-a14b-56234931275c,"4/16/2021, 9:00:11.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7444 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a67f30e-0269-4184-91cb-aa0e92a5c4f5,"4/16/2021, 9:00:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4456 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,79e59774-d4f0-4071-ac06-d9f9982c8db4,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bd3dec1f-8ade-43f3-ba5e-f79c212dada3,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6430a872-cceb-4745-9d6e-8f0a9bcca735,"4/16/2021, 9:00:11.411 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,93be4f9c-5bfe-40eb-a8cb-ecf82abdbab6,"4/16/2021, 8:58:26.568 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e58c6ac9-a422-4b4a-8111-7528c2b79ae3,"4/16/2021, 8:58:26.568 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6192 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3241b9f7-afb2-4189-b488-e4d512970914,"4/16/2021, 8:58:26.568 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5236c5c0-ad2e-4a24-a032-9abb96217988,"4/16/2021, 8:58:26.568 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,159425c3-68c9-4bed-b92d-6d99dff62783,"4/16/2021, 8:58:26.568 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,033e4b56-edef-4f80-bb4b-30ddae60086e,"4/16/2021, 8:58:26.568 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1132 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb8718d9-c6e2-4188-b12c-e5affaa143bd,"4/16/2021, 8:58:26.568 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6e12811-7cbb-4f1c-90af-73fee87a20a9,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,626a0cb4-b359-4495-8dd1-33b66128ce78,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5616e6a0-2e39-4e41-a221-a66b29cb9933,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f920413e-8217-4a40-a2dc-767858d8c483,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a26eca42-ab29-48dd-b9fe-ff5ff1b96ed2,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95dfe5b1-b2ed-4477-b034-3b70b50a31e7,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,547d441a-df11-4be7-8ed0-7c9cd3023d69,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c18119a6-5204-4b36-a9bc-6e685181a7ef,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc674a3e-fc3c-45d6-9504-4f9403e2514c,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58d9c582-fe0c-4092-b22b-627a6ff28cc5,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e046e30-0eb1-48b3-a77e-334f1aef0be9,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f68fbfe-eb1d-49ac-843e-d782993691d5,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8eb7de4f-0599-4fb8-a93a-7f6e8e33f6e0,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9137f31-bf62-44a7-9685-f399b63dbc8a,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3089089f-5088-4685-a8ed-c4f80f5f8ce8,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a24b043-f2e4-4148-8c91-b7bf233399d9,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eec755f-d6a5-4cc1-bb64-f8555f7f9d50,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,febfdb6b-3f51-48e4-ac09-d8fe50240c0a,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc88228-ebc9-453d-b868-59fbf7c92e8d,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,306598af-0d86-4727-9333-9d1e3d9154b5,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e59c58a-cd12-4d5c-890d-08bdd5fe0818,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,554dc34b-6d7a-4ef8-b717-d927f8872c50,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1b7d57b-17ac-4887-826c-350f17231f76,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e7fd8b83-8694-4e2f-b039-247d8fe2386b,"4/16/2021, 9:00:08.051 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ad4e2fc0-9b3f-4afc-9c08-7d5f19d48d23,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4468e54a-4e74-47a9-b4b0-d001d7451614,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bca31bb3-c5fb-4818-acc5-2079b65f58ed,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,94babb63-bcf7-4259-9877-d20e59ecb3f8,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b14125e3-555b-4b92-b530-20b16b3e22b7,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,89e52215-735a-4f60-a8b3-c12d6c85cf5a,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c4e09869-3c48-400e-886c-aa13e44f301d,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0bbc98b9-b76e-440b-bf55-f8a37500f761,"4/16/2021, 9:00:08.051 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f031a48-fd64-426a-a901-400dc578bb9f,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65bd70b2-b6d2-42bd-bcee-1a2adbe44f61,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36dde0aa-54e5-48c3-b303-a7fc36701ff6,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7de17de-f8a1-455c-bb65-9772727d6ca4,"4/16/2021, 9:00:15.656 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c5eccbb-4f39-4bf3-8a7b-62eb422fa6fe,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8794e7d9-9609-40b4-9dc8-e4bd811d2a05,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ba6c823-1926-4401-aec4-99a6d0a884d3,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\RAY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63cf3762-1e56-4d4c-9253-47a4370e2c55,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46ffa284-ecf1-4f96-abf0-830173066673,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad5834a5-2dc7-4973-a7b8-fa209c172924,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc3cbd7f-7dbb-480f-8ce0-8316383dfbe1,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25c112c3-cecc-419a-acd6-03d34072112a,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a92eff8-2530-4e97-8bc1-9b99a8c0be51,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cae81a1a-b30a-469b-8a83-f97ca0018566,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,813ac257-3762-4c56-a908-f1c32a0eaded,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e37306db-f703-4e62-9037-35cc5f6c645c,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64e02607-4729-4173-895a-c2eda2682d73,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1fce2d0-d418-4bbe-90c0-9a8e66fa49fa,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d020392c-b130-4cbc-87fd-d1f7ba25080c,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e26fca41-f229-4a0b-ac12-4814e3bf9e97,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adc730a6-fb6b-4176-b790-adad1bb546ab,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be0c8339-2121-4dd7-adb5-f6a5672ff559,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9620329e-0a08-4508-a4d4-571bfbb94170,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6e8c3c7-05f4-4204-99d4-d02dedef17cb,"4/16/2021, 8:58:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3444 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b8b5c9e-6726-4aa7-b447-c1c07cf0dd85,"4/16/2021, 8:58:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,937a5e71-b102-4a7e-9906-84a1d511ccdd,"4/16/2021, 8:58:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bff7f36c-d821-46fe-bc69-e43b0e900028,"4/16/2021, 8:58:41.411 AM",,,,,,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1ee745b-4ac2-4801-9fc4-44820d41796e,"4/16/2021, 8:58:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,72e0b679-e57f-4c66-b944-a1ae3c688331,"4/16/2021, 8:58:41.411 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38ec5533-19f0-4cab-97c1-93bcecc6b8e1,"4/16/2021, 8:58:41.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b94b8bf-b954-4443-a51b-edbca47d465a,"4/16/2021, 8:58:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5dbd05-edb0-492c-a533-2102848681d8,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3088ea7e-df6c-4041-8c92-461ee53f2e81,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b1ed81e-be29-45e0-846d-a9899200bc05,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3cc665d-d912-409b-bad7-e1e5868cdf6c,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a57d416-34c6-421e-b953-71933ea13ba9,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7999dfe3-cd46-4965-997e-45e0e6df8183,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3c9347a-bd78-46cd-b2e0-2494d2b0c783,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d88469e-1314-4d6c-894a-d47a104c49cb,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e8b00c3-184c-46ee-9b65-e7aa146cc9b0,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a93f4bf3-d822-4c68-b489-5541104945aa,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a266a1-856b-4a9f-8e92-e2f0e9688f60,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f035987e-fa2f-477f-b1c0-c8128ba4398e,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa8bfade-6470-42da-bc40-065eb8a159c8,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5215fcf3-8807-4740-852d-5e433898a25e,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b5001db-ef62-4a94-85f7-97a6c7771b71,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53454a12-4109-4300-9c40-2d81e2c2712b,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d75a5f-6388-41fa-99e5-5442bb4c5ddf,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22096311-6de1-4110-b898-8fadda244aea,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ecf3b04-7aad-4ed2-bbf0-4003b20949be,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,988c27c7-8ce6-4a12-a424-0afbdb9280ca,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6a81ddf-df7b-4f1f-9ba8-c2088061d979,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd3b4bf8-50d1-4b73-9dbd-66c71e872fe4,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e4b3622-ad21-430a-8ca7-60c48dcc3570,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6442e040-9010-4453-8561-de8916a48204,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,14aecb2f-2101-4c6a-92ee-7a91bc4636b1,"4/16/2021, 8:58:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3faf9694-d80e-42b8-8484-9a37c6dd45f3,"4/16/2021, 8:58:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ad23ba2f-c9a1-4fd2-bdfd-73a2d4ec1214,"4/16/2021, 8:58:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4800 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f9f3829a-2a41-403b-8a45-c846851452f4,"4/16/2021, 8:58:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,86fc9d19-6466-44a1-a1dd-6ad5673920cc,"4/16/2021, 8:58:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ba64a8d5-f10c-4040-9ccd-d73f5a2f79b4,"4/16/2021, 8:58:52.736 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52849341-bf9d-4899-ab52-f11f5fab599f,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa6f153-176f-421a-91e3-803893bb593d,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfd3638-a14c-4e20-96be-9fa9aeab3280,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,511cdee7-e190-45ba-a805-f03ea89510d7,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b4ce810-eaf9-4c1d-827d-4f51fe2da2fa,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,531136c2-1816-4771-bc0a-a9c0ea36d58b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07cdcc3c-e23f-4f18-81c0-3809ae514f7e,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88efbc02-e2e0-44c9-a33a-bc000a754fb2,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,491261c4-90a2-4f00-8de8-4d8bc2eb100a,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78372220-1d14-471f-9585-58e669d31b3b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51ae2f4-02b1-4216-86ff-621597e856ff,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cb44830-6a5e-4a64-972a-ad93271d4108,"4/16/2021, 9:00:21.150 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,af12520e-2e1f-40bc-a7ce-0ab1f01f8320,"4/16/2021, 9:00:21.150 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1544 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29738560-a68a-4aa7-ac2e-8e85663d1a53,"4/16/2021, 9:00:21.150 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1739582b-b429-45bb-b6b9-1d9e427ec020,"4/16/2021, 9:00:21.150 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7987bc2-8040-464f-ac2f-607c6428dc6b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e0fe29d-f45d-4da0-8f17-27e56b316244,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b56c502-a754-4a67-9ad4-8f27319dbda9,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd86263b-71fa-4816-b337-44e342f961b0,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a29e746-5704-4c59-ac95-e510f268c425,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e2d36dd-a7ec-41cf-a0d8-4b177473b1f1,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2060d68-2c90-44f6-8e17-5c4ce65d3b66,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54ae6feb-0bfc-40dc-88a8-ffde57a7355b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15256 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cfc8995a-dcbf-42ee-a846-7c86ce772f9a,"4/16/2021, 8:59:55.984 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11728 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a49ddf0e-7b65-4bbd-ac43-8e8b5c062bc1,"4/16/2021, 8:59:55.984 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,588dc368-ec95-473b-ac64-415cd5170ba9,"4/16/2021, 9:00:32.893 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f83704e2-6913-4377-ad2f-a11532577231,"4/16/2021, 9:00:32.893 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x2417d2eb + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5dcbcba6-c5ec-456e-9471-5f256fadc792,"4/16/2021, 9:00:32.893 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1b7d71e4-0b23-43c3-8bcd-04fba70a2d4e,"4/16/2021, 9:00:32.893 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5b633c8b-881c-4ae7-8bbd-19ae64689613,"4/16/2021, 9:00:32.893 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,2186607f-cb69-4f29-877a-4680c5ef65e0,"4/16/2021, 9:00:32.893 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a560e70d-e642-411b-8f7b-6eee2f3328b8,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54cef459-f1dd-4806-9407-db76dbd3fbcd,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b14b8ab-a788-4551-a7f6-91b2d0f58b01,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c13fcbd-a790-4f74-94c0-9b5fa62200fe,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\PDV1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b710ebc7-9a1d-4092-b659-831d551f6e56,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ca8d22e-b85f-4acb-b1c4-b8bdee97c512,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23cc9e32-edbb-41fe-bc33-933f89988d03,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a914b1ad-d957-4861-bc1a-9acbfb55862c,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eacee919-8e0b-410b-bbf5-d13df0c3f682,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f0e925c-d6b7-47d5-a2bb-73d0b75ae856,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\CRESCENT PARK,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6209661-dad2-413a-a9f8-f7ce3368d869,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3ef5f00-5511-4db8-88c7-b12d95027cf3,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce8cb132-137f-4b36-9b83-fedb7e3dbbf2,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88621072-5c09-4f1f-8d11-6a29e0d85ce3,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d10426-3bd6-4a8f-a1c0-a75ef4277452,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5111477-b2ba-472f-a6c3-26c04519b090,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c37b1d6a-9e2d-474e-b5dc-dbaacc1677b1,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3dfc35-b092-4ce4-a5b8-e3e293e68262,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f66099bd-64f5-4adf-9082-946ab134e5d1,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dd61443-456d-42a6-bdeb-d64bfa24f3f9,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3c50b8-b6c5-4a2a-bd73-856d70dbf3a9,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebf8e8af-9735-42fe-90b2-a79dd402324c,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51840ad0-fbad-4fe6-ad42-d4a30be960a5,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc600021-7bfa-422a-9c92-d3c9e8ac0e11,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6b6d6b-e195-4c33-bdb0-247c6a8d7672,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7550a68-ff6d-4efa-8dd4-d8e3ccc8a3c4,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b996c550-a07d-4669-b180-94fceb5d37a8,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,311fcd8c-5a2f-4d55-aaaa-b4a85f49ccb8,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,483d4d84-5646-47f5-bc00-8b6d2b0981dd,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c81a158a-d240-4f32-be73-6ef7bbb08153,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,513e6af5-9008-41c5-a537-a94f0729b9aa,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be0a7f1b-62cb-4205-aac4-f94300d66c28,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45758566-c587-408e-8414-d89210e9e7f6,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7568 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1450\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 96 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\1450\pmfexe.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4117a1f-f983-4b27-948b-9546b98cd29d,"4/16/2021, 9:00:34.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fb64de4-afe0-4a60-a811-df8ad223a890,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90564a17-c42a-4761-b946-980762865cb8,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f56eee8b-fc9a-4d4b-ab12-9af737539f6c,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,411cff52-e92c-4182-95de-be86d41120e6,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b67bcb7-e7ec-4d0a-a76b-8c019e35c3a1,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,815d6e8e-9715-436b-8711-0bc06755809a,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60f5ea8d-202e-407f-a2ec-c51c669ee9f4,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c420a56-bc3a-4697-8e54-4125af393e67,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f711e172-66ff-45f9-98a8-817d32d67ba3,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,215521a1-949c-4afb-9bf6-63b43c0c9eb6,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402f5b80-c55c-4d9e-a1d1-93bc2e6121ae,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a664429e-b712-4bcb-a373-f4f1a2873ca9,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41c48a97-68b8-466d-a8d0-4f58c8858c22,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1ce1416-abec-4bb9-9cb0-aa0e22bb860d,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbf7b9b2-7e90-4515-87aa-94815ce3dad9,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47eaead2-bdcb-4a81-957c-e85d1996c908,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43654342-633e-451d-9f69-4f39dd944b6f,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca9a74dc-da3d-429f-abed-8706ac874b58,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,63b931ca-203d-4af9-9103-408d0b0aed31,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa788a5-21f2-4935-bdb6-36aa233cb482,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46adc55c-aabe-474e-8236-7eae8b6a56f3,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5a1819b-b055-4034-9552-bbf6f8e4a3d5,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fbcacc9-6691-471f-8c75-41fd859171e7,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dbc0c17-0160-436a-a0cc-63885585e4c3,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa28218-6383-4392-b15f-18b9bfebca89,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e086b11-ec01-4c67-a35f-3e11f238c4c7,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bac5c836-5579-4785-a888-2759684aa6c4,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a69ebcc-4ac3-48a4-a9f5-8b131853b269,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae71476-ab02-4b58-a36a-fd1d55327fe3,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a237bd9-67d5-4a17-abad-abc926620f1d,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38bec394-2cd2-4f75-89f6-ebedb529bfe5,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,214fdd00-b6a9-4c79-bff4-470760b986d6,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40bc2a69-df88-4ae6-b49c-16f1729ba7a0,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f523d2e5-8585-4437-b08a-5fa170a19594,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3a6d24b-11be-49e9-84ca-36e43e56120a,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4190a2dc-e79e-4776-ae0d-8a1cd52150f6,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,280896aa-73e5-4a15-be39-7179fc736408,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,981a2a75-32c3-4274-bff4-dbefa1fa589b,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c598028-32f8-4c07-a581-fcfedfd4eb11,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6171d06-e784-4bd1-b8d0-b1eba371f50f,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\WRADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f57ca0-ff0a-4779-8609-f0b0dacb657f,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,427107e3-c976-4742-8f74-0a976e00d799,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97be7a02-e6c3-4aa8-b421-be537b392a21,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,727da483-07f7-4dc8-90cd-a6800e0860ed,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f2942e2-c5e2-40bb-bff9-2df65e450737,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312750eb-698e-4d97-af40-7f27e5e5020b,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43653fc4-6d84-4f5d-a5ad-b021cf6ebe58,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,819e0444-f261-47df-9dd4-9aa31d5ffa2b,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,84bcbb2b-922e-494e-823f-4ac85548714d,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16058aa2-026c-40ab-874f-b0309406862a,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,73c235e6-9de0-4aa5-adff-0ea34184ba8f,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98da1777-1442-4987-83f6-29df9bb10c21,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,75465f23-5eb3-498c-9649-584a1f7c3b8c,"4/16/2021, 9:00:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4aa637e9-034b-4918-a7f7-aeabb2d17571,"4/16/2021, 9:00:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,77b40b1a-5d3a-4977-95cb-e65745f7b456,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,593b8948-d7ac-4266-99ee-8e9917c85761,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,65326bf7-4015-40cb-b5e4-4feb08da09b4,"4/16/2021, 9:00:43.052 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6f30a8e-6bf8-4487-846b-f0be4e8aee70,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a8ba43d-38bc-406b-950a-a9fed81a1053,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7ef89e2-d1a5-4b65-8dfb-0b0b9939e478,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79602f87-b33d-4183-902c-cceed063c11a,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d6a7aed-e74d-43e6-a4f1-80b8478e0186,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7aaee77-79e8-47fb-82b7-a90f2ad27950,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,481d5e28-a8fc-42eb-8d8c-38624c74fb6f,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d435cf68-333d-4c3b-a371-66e3a6a17146,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edc41dc7-af91-49fa-9adf-b3b7998bc6d9,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e53bec9a-1ac6-4e2b-a193-8cbadf214e29,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c3ff4bb-5b2c-4b72-97db-5de4152b410f,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6272e6cc-43dd-4672-9ee6-9da6d8a4c7b6,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb5071de-64af-457d-8705-89ac1c488d44,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1a3c839-200b-4c21-8617-67a4d83a3268,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ea9e9c0-14a6-4ceb-bb79-addd5fe2a7d2,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce4229d6-f968-4f9e-8141-3e1c8dcc6f83,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c30e1c6-d4c1-4829-af37-6af2d32ca907,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,daa8ce95-83df-42c2-b5a7-ae371ffdfb61,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92b200b1-961a-411a-91be-245ecdb4bd40,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6086a023-3726-4db6-83d2-05a2b2a0401a,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ef7b827-2cbd-4fc7-8fa0-a6d7be07a943,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8fb1c3e-5bc0-49fe-b54e-fa747b233009,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b8437b8-6741-4523-a22f-f11782fb245d,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5d3109f-087c-463c-b5f9-ab249fd11cdf,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6773718e-4032-4f0c-93d7-8c43877de3e0,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,203d829e-cb66-4f04-bb1d-fc240d1cd2ce,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af652f6c-21dd-435e-a59b-3b3d304888ad,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17d4201a-c3e5-4dc5-a781-abb944c79025,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77e0766d-de3b-469e-a71b-8b5aad54c4cc,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d95212b-1dfe-42bf-bbb4-8b35b7e5f7dd,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,807d1c5c-c628-4f37-acb2-6d9b0b7f8e0a,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\MAGIX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40d63007-f689-4eae-8069-12de12452292,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c26e07a3-d492-46a9-8cb6-75b7f718c0af,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3bf52cc-95c4-4cc5-8e48-55ff3a14b999,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40fbd52b-757d-455e-8b5b-65bf321481dc,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3e0ce0a-7af5-48c2-bb6c-d79fa60a1ece,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bced54b2-b561-467c-9fe8-ab7438decfaf,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,853656ac-d6a4-4ab6-a0aa-de9c57cf092d,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fec8a89b-9413-451b-aed2-f3ff4dafb3b1,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3464457-1f3d-4f4d-9fe4-1fec4ce1facc,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3b0032d-36d9-4ef6-953b-36dea78445cd,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89ae59ac-a7ab-4dca-a714-8ed729337d54,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb2b2f7b-e236-42f4-b8c2-87a159130ed5,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60c0a232-2d64-4a7a-927b-52e19eaf9bfb,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dace59d-b258-4717-80a5-63327d8fe197,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b90fdae5-ada7-485a-b684-9d546f3b5677,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f63adf41-5927-4e4b-b2fc-d194e668faed,"4/16/2021, 9:01:25.410 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01d48faa-8356-499b-87fe-2f2812f77657,"4/16/2021, 9:01:25.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c30b7d8b-3b3e-4878-83e6-83b1fc7d260a,"4/16/2021, 9:01:25.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6484 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,edf04818-ee34-413e-8b05-2b776fb32268,"4/16/2021, 9:01:25.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4020 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,079e3793-2a41-41f1-885a-8ca51faf02ca,"4/16/2021, 9:01:25.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b269fcb7-812e-4e11-8511-db4ac5c87c9d,"4/16/2021, 9:01:25.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eac7c648-0ef1-453d-a624-bae2377a696d,"4/16/2021, 9:01:25.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6d267226-4450-40c2-ae13-e9ec17fd387e,"4/16/2021, 9:01:25.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14456 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5051a4cd-3aba-4a3e-be8a-b31090a3bdff,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11656 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,82b05968-b0ed-422f-84ed-37a47f25b599,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 932 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b4a47c8d-9b1f-4715-877a-d9c9f34d9270,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12808 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7c2d1601-b742-41fe-938f-e522a4d26979,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10524 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ec512bb0-a885-4171-abb4-6bbe38b7c038,"4/16/2021, 9:00:47.026 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1de11626-6bc5-4927-a385-b3e2a3237742,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3977898-d3f8-4f4c-acfa-137a8024ab68,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8435135b-21d3-444d-8f8e-4a1c75ca3ae4,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5299ccb8-91ee-4b8c-bf7e-130fe08d7bdf,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f400e6fe-7531-40fd-9e69-fc92d4d3d5d9,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7081000-8fb4-42f1-a8d1-71138b779005,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9af681b1-c939-4c64-9469-008d86357c70,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38afff10-8f75-43e1-b6d3-fac610176f7e,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,389f348f-787a-41b8-b0a4-a8253c762638,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bd19ab0-dbd5-4762-9ad7-1aa4348e5a3c,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7db68c7a-7db9-415c-9e76-fdc7d289b606,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4f926a-e1d0-489a-a7f1-a25be179a9ae,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8ac7360-6bd6-4e5a-944d-9398b5761f29,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99598180-84be-4725-8369-9848c1976e91,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7ac374b-ac0e-4cf3-9638-2902fe14b1e5,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34694b0-66be-4138-80e1-128eedc23f30,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40de02ac-3424-4a56-a25e-f7a2c35fd6d1,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16d4354a-6de6-4749-a627-f6a06d9a26e4,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a05ed40e-7ccc-46d0-9708-e81cb696b540,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,875b409e-b0e4-4d36-afee-1f2b7fdd9ebc,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457e3083-361a-4f50-bc99-4ddb793b8959,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,964d87cc-a737-45bf-99fe-2ecabda4bcb2,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc283ef0-e5b0-4185-a47d-fa3317543b20,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63fb36ee-d6b1-4aa7-b548-7bb2c6541865,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fc79f3d-9953-40ac-8b0c-bb0f8e978aec,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab739c00-0148-4137-94dc-f1c876d955d3,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c3d7fb7-81e5-4454-b8f0-a287789ed92a,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba5b666d-d633-457c-b686-4494493eebf7,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56fb20f8-0f73-4d9d-ba35-f1d7354d9728,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fc300cc-7ad0-4776-b86a-dcda44c8b7b4,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c6487f-9c0c-41fb-96b2-0dfa280d862b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,000cf098-1ef6-4eee-831b-38cb7024d99c,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82b98fd1-c5e1-4ab9-accc-b077f98bb03d,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5441cd2c-ebc7-469f-81d3-edb1c1c6807c,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32420b2f-a71c-4d39-abd7-366be57c67f2,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e52980fe-7be5-4abd-b976-1837dec0323b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5214491-f827-493f-8d82-c77f4c05fb9b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ff5fba-2c12-4db4-8d5e-1b803491b2c0,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef12693-3fc0-4219-8cf8-478a2c60bbcd,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89617765-16cc-499b-9c51-87ec04483467,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5136c3-d4e3-40bd-8714-0d3d909b3190,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f57564d-9f68-4d4f-a691-ab33e4c1b319,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8dae5a6-b4fb-4b43-9329-b9f197ea67d1,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b41263a3-b6a8-4a4e-85e6-5533fa0c441b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10faccaf-4202-4ea8-9630-cc5ec56794d0,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78888041-a2fe-4563-a505-819f7456ff45,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c391fe59-6e3b-4244-94ce-9441945cfed7,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04fd02bb-3f62-4c13-93e6-7c2370ebd8cc,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5fc0a8b-d9f0-41d0-a4cf-75ac52c2a960,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cac3031-687a-424c-89d2-d735e266ef4a,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d872c27-701d-44c1-848a-22ca053c6813,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaf65622-afd6-4009-8eaa-17a5058bb7cf,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db520d64-e968-418d-adcd-15fd992cbd16,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\IMAGES,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e4ac62b-aee7-4e08-8051-9e2676606643,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,885904a8-08c9-41bb-9d1e-db69e3036262,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53ae4ef8-8704-47b6-bf04-01c8dacdf14b,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3110851d-e9ea-4f24-8dd1-182fec3ecd63,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4df915a8-ca70-427e-885c-b2be8fa6f4cf,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0234aede-3bad-42a9-850e-ebc533997f4b,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97d4f4fe-0a50-4a5b-9530-825360ed184b,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f59b3220-d5aa-49ec-987c-3c019413cfab,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28a06899-0997-4845-a2dc-3cce05dcffd6,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc655177-eb34-4223-8fd3-b3f6de64b727,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6311ee9e-d81d-4019-952d-24a6fa028433,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df105bdf-5add-4a55-818b-d7dc8d8a1e35,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\SCANS3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c615212-a9f3-4bd9-a3da-24731333f39a,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9812 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f6f7deff-91fc-4252-a5be-b4e94e685aa6,"4/16/2021, 9:00:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10892 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,516aa088-1d66-4bd2-9fd7-15ac7ebafc06,"4/16/2021, 9:00:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10972 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,7daf441d-2886-4ba1-894d-ce059ce9931d,"4/16/2021, 9:00:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e74739d5-0f17-40fc-a993-5057323776b8,"4/16/2021, 9:00:49.278 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f294b1-7ebf-49e4-9b8e-b16c7df4be3a,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,649c94f4-517b-4a1b-8e96-3d69a9fe8bb6,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7421e6c7-c8d4-4019-aaa8-aadd177815cb,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efd31c6a-8a61-4f92-bc43-5d69dc063f79,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aea61532-a855-47ef-bb0e-cab2b00fd2bf,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f42b95b6-3080-4d2c-a241-34767790d7fc,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80574306-4a7e-43a8-aebf-0e593fe7bcea,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e47e731-d368-4bf7-9be1-d45d1a8a1697,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf17182-ca59-494f-9672-64bbfbdf970e,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8865672d-289f-47eb-8b21-8b274f1bf69f,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb044081-81fc-4b84-bee9-dd1f376e0658,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c685921-5067-4975-a82e-d0f21fb30fbe,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ca2b6c-a101-45b5-804c-f748fe88e3f1,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20fb0fb-1f3c-45ca-9fbf-bfca0a45af72,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6cd67f2-2136-495d-97bc-9eee8fbdb9a6,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a8c0ed1-8264-4503-b27b-7539b7ddc7b1,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65a7ee41-708c-4672-af39-188477a3dd9d,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b762e52d-e662-49cd-a718-3b57e82d9f8f,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71956bf1-5444-4581-ac1d-e93eb321183e,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a8dcca-024e-4523-b5f3-a1395c3ebae0,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c8dcc4d-f17e-461d-b3ef-7320aa85e429,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38daa2cc-1780-403a-9204-1bcbe073fdec,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fd6466e-eb45-4346-ba31-34b45ff93d8a,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f85d68f0-bd96-456a-a0d9-33ed96f364b8,"4/16/2021, 9:00:51.667 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4be680fa-ce8c-48be-bcbe-3064a27097f4,"4/16/2021, 9:00:51.667 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,85ac9e94-4d88-462e-b864-4244fdfec10f,"4/16/2021, 9:00:51.667 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4488 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b66b723-af8e-4394-82b7-d801dfceb19e,"4/16/2021, 9:00:51.667 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,770df027-6a4e-4a06-8ae5-22d09a0e37c0,"4/16/2021, 9:00:51.667 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11228 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b35f742d-baa0-4aee-b860-77bf0a915152,"4/16/2021, 9:00:51.667 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2f005e-3071-477e-bb56-9842dec605fc,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,698d2045-83eb-4da9-8045-928df0e31f1c,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57a0fee8-4ad8-4c7b-92df-402fd9165a43,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31533279-3016-4078-9e3f-d482da374bea,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9fd5ef-f933-4bf7-b7f0-57d9e47660d2,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01e67b80-82b8-4f70-a1e3-cd0bda71b5d9,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,553097c8-340f-43e0-9089-39130d36af4d,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f155fb9-6bab-4f73-b4ed-768eacb90ad7,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3cad9da-e18e-4d3d-8c67-801a260133ff,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,313e8a04-84db-4086-8242-e9eb083b6309,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5f7b814-4392-4ad4-8d2a-66e1c099b82a,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,128f48b4-e14a-4f92-b704-3bff4aef8d75,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46ff2cd7-d85a-4621-8150-1159b412a423,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b689339e-784e-46fa-ac81-646785b8322e,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,289db7b5-9038-4893-aa64-dd11ef175fb0,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7b2efd-d636-4e61-9afe-996d3cc6902f,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ACC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b228a225-435e-427d-bf44-2531bc167a84,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf643ff-bf7b-421c-9ac7-530e92dfec06,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9a977c-946c-47e8-af67-e0073527e6cb,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11d73c1-e355-429c-851c-908fafc4620d,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6046c364-0d8b-4c1c-8af5-2702ed114195,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ea1c6f-fa41-4810-bba2-d80c9699624d,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\AAHZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd6d7913-8d23-40e9-8ceb-5c7debd31538,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3708d0ac-9957-4751-bbf8-b1c2d4be4394,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2dda8b5-2a37-4564-af3f-5554cfed79f0,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b62f829a-a46a-4f4f-8ef5-8e590ba628e7,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29a3d53e-50b8-450d-9399-5204793c4f88,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be802997-edaa-45aa-b683-a04fa423b3a2,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a177ebc-b110-4a34-9766-3b43f7706572,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a8a341-4ff5-4860-9ace-a6fa7ceb7c56,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09dda073-bf83-4ef2-8639-06e4a2f60443,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,888c0079-92db-448a-b458-54fb6c1cec46,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a92758-db86-4a84-ba2d-eef430991e61,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,254d21eb-ed5d-48c1-8545-bd7aff0d20d4,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2856c4ec-c961-4396-b4e4-90431ebf7e0b,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d88ef259-294b-4e4e-a0c7-5da3d7296b25,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41752a7e-e83e-415a-8034-699c56b13098,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dbdd8b1-5c2a-4a7a-b416-c369afc476b6,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bab6d93-a2f6-4d89-ac04-7a6ffe5e9aaa,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,882502fc-d7c1-4cbf-8f8e-9f8545fe0981,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44879d62-fd8e-4177-9a42-7b689b2f4ebf,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20957cc1-7b6a-4541-902a-a916efb083a9,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8882d1dc-406a-4fec-8294-66333ce772d2,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d76979ed-7ae0-4126-972e-21adcc5f96cf,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9726c268-a0f0-4c13-aca6-29855672e551,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,745ca89c-2c8c-4185-84b2-7f62a36794b7,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb4b635f-5ed9-4650-bc1f-b588a01d7e25,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 3192 + 2021-03-26T16:13:26.213487000Z + Microsoft Software Key Storage Provider + UNKNOWN + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\34917ebd2ccab6c02f40bc8086bac7d7_64407fac-9a41-4e9b-928b-8e63ee96a551 + %%2458 + 0x0 +",5058,5058 - Key file operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cc4955fd-a05d-47cb-8b65-ca90b8325ea2,"4/16/2021, 9:02:23.863 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,414099ee-500b-44e4-ab00-9e5f241cc0b8,"4/16/2021, 9:02:23.863 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 3192 + 2021-03-26T16:13:26.213487000Z + Microsoft Software Key Storage Provider + RSA + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,eafec628-c842-40d1-9e77-7e5fa8c4b597,"4/16/2021, 9:02:23.863 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 3192 + 2021-03-26T16:13:26.213487000Z + Microsoft Software Key Storage Provider + RSA + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,987f6b35-7c88-4a7b-aa65-d16810be8e67,"4/16/2021, 9:02:23.863 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,0ba0be7d-19dd-44bc-9ff3-6c0f20cd8526,"4/16/2021, 9:02:23.863 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4608333f-c163-479e-805d-b09b565b2815,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,470c3728-2617-42bb-82b3-5eb617011264,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb9f27e6-cf35-4e00-ae70-4600d4a3cb77,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0985ec4d-073c-46ef-82dc-e925ab4dbcfe,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,983bbbe1-fc37-491e-95a7-ee756f34da33,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ff9dbc-e003-4552-b338-4656ef5716ec,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\GUEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35cd0ee0-68ae-438f-882c-7e9433647d12,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ec5119-45ff-4d19-ac0e-dad21bcf7aaa,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a442af-e179-45a9-97fd-332b3fb095ab,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d8fb743-64ba-4a4d-9db6-ad63bd4753dd,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe87eb71-5df5-4b2f-969f-1c009be062fd,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cb9fa5a-7700-4c5e-a34c-31d365a0adbc,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd427595-d3d7-4cbe-a6a9-c584fa055eb0,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a899c23d-5521-448d-8166-76924e709bb7,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32fc9406-a833-4d29-9c1b-a64f3d8d448a,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb1114d2-6b88-441f-adf1-e2463ec92299,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ebb583b-0a4d-4b51-b536-d68b73a7155a,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2943d350-b853-4cba-8447-634a030a8a2f,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a57e09d0-800e-4f17-85a2-e4457df5a947,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea022c42-dad8-47a8-9eee-306ca3159109,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9184f65-85c6-4ee3-b327-3e875d08ef00,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,507dba93-3da1-4348-b3ec-0de95df558e2,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,105b2f8c-5fb5-41bc-adac-5805abd77e35,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef82ad30-8057-4f36-a00e-ea50486ce459,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a625881-6d3c-4796-9eee-0f2868790129,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33865403-460b-4683-a62d-b81cc2ff9f5a,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6708 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a055af1f-8f8e-4799-8147-2592b6453ab3,"4/16/2021, 9:00:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6996 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b6f3e68b-23d9-4fa3-9e2a-4c2c954613d8,"4/16/2021, 9:00:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3ad04785-31fa-477b-bbe7-5ca3d618de4a,"4/16/2021, 9:00:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a46463b4-de09-46de-b79d-12ba0519cffe,"4/16/2021, 9:00:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1bee9c79-3df3-43e3-9b12-cc646d63ce89,"4/16/2021, 9:00:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9e21fc1a-440b-4671-ac5d-53c7d8b7defd,"4/16/2021, 9:00:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,16e3c459-bd58-4a8e-9993-9dfecb689c96,"4/16/2021, 9:03:01.062 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,fe80b7fa-0bdb-4e01-b05d-6aa5f2d23dac,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,41f3dacd-90d8-4e55-aba4-082f8af13a9a,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6b86221f-7d48-4c50-8498-bac5564ec0d8,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c99842c5-1c02-4d34-8183-849a7cc7ea74,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6f18 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,1d9b144c-ffc9-40c2-8418-604601201769,"4/16/2021, 9:03:01.062 AM",,,,,,0x6f18, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6f18 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d6cef970-c4ce-424f-9a62-4dbec0cca35a,"4/16/2021, 9:03:01.062 AM",,,,,,0x6f18, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,c47ab2c1-2248-4be1-be5f-3d4a4a675840,"4/16/2021, 9:03:01.062 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ae9d60a2-bd1c-4d9e-b764-ffc29b8e2352,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,bcfef0e0-3c8a-47c9-a3a8-919771c4d660,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,447d3174-324e-46e7-b557-86672f20d892,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3b45c0b9-f093-4107-88ad-5555b9c0cf5f,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ce18dbff-efcb-4a32-962d-66c2bd325871,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,027f54c1-14a0-46b1-9b2c-49e16ac06004,"4/16/2021, 9:03:01.062 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,7f617566-3542-439b-8129-823aa6fbddd0,"4/16/2021, 9:03:01.062 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,fa23d664-6795-41a1-8cd1-2b12536e6e6f,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,61c917aa-cfd2-4eb0-b529-3e75e4685346,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4a833cbd-da9f-43c6-90b5-249ba460066d,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6ce7497c-f804-459d-bc66-f328a4134943,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4247e79a-0212-4ce7-9961-9e091d708ec1,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,09424212-f1c1-43b9-89f1-af9d3aec9665,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,457fcd48-6493-4144-aa01-323ac497187d,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d50be15-911f-4c5b-b06d-ad7497112847,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d6dbb36-c3c6-4748-9066-26cc7c7530ee,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cfe22b13-7a82-443f-b325-e2d313ae05a6,"4/16/2021, 9:03:01.062 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b2fb675-1ea0-43f5-9fcb-72aeb6cb5c57,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8464092-bd61-4c52-bba9-7880e0515e3d,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8268c88-5a73-4134-9e78-ba92814d3973,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e592f08a-8856-4c64-8836-e6121e1c8e38,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8339a34-7438-47f4-8a88-23aeb9957972,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecc963f2-56f2-498c-a46e-0dc9564c99aa,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,985f243d-8306-45a9-8261-d90594c780d9,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd7443f8-3a63-46e3-889e-b889bcb4f384,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee83bcbb-85fd-4316-8864-e0bbe4ec17ad,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52c24833-4840-4f4c-bf82-869b6e50971d,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54b9f0f4-25b3-46e6-941a-f9ef11006b84,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ded1116-b48e-434e-984d-29950c1edafc,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3bf6223-f590-4d62-abf2-a35e12ff702d,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbb3e5ee-e5f6-48ec-a405-7117d5e87b50,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\ACUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0160a4f2-681f-417b-8282-e4fa19e88527,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3d00add-8fca-4329-ba9e-3d76ff834e70,"4/16/2021, 9:00:57.658 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,302c6ce4-9c15-44cc-83a3-814f56a8c18a,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b164fc3e-7c57-4882-9ca2-059d5c312154,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00133fe9-a0c4-4190-80ad-345b5f861918,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\AAUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d661015b-cac7-436d-bd6f-1b36cca22b38,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e5fde6d-73ba-41b1-89f4-becc93f3cc4c,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ad1267b-9d07-40bb-97af-41e4bd182e3e,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,77c01f33-3dac-494a-8fa1-50d58655b696,"4/16/2021, 9:03:04.578 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7256 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b6ea5d47-b15c-41e7-b887-8fa89d7aea46,"4/16/2021, 9:03:04.578 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,43de88d3-ad38-43dd-849e-3d0e552e4f5e,"4/16/2021, 9:03:04.578 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26e10da5-005a-4f50-985a-5bb9c264190d,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bc93af5-5cbe-44a5-a7cc-d73d056cd0ee,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81dc1aae-a660-4cc0-abd6-d2697d011aa4,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4068916-c4a1-4a8e-9325-39fe3bc9c9a6,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,286a47dc-7cb5-4a7a-a14b-24a4485306a2,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc090be7-3acc-4300-a045-22a2a617c4f5,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30bad612-e4db-4135-b74d-95fea9f17640,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b82a5d-0c0a-433a-997f-ff31cb4ed335,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cd77520-7d84-4e2b-bf00-43fc1a090c1f,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7dec02-3e18-4880-914d-28a1fc944df7,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6b9a8f2-d981-4a5d-86b1-9fe83b858074,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59d256a4-ca99-47a2-a82e-7656f3482297,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352d8ff6-89ec-490f-b5cb-5baf16a937ea,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24f22200-0123-4447-99ad-fba050b935f7,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc505787-d3f4-4727-9aef-c23e8b86a1fb,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b3a9a3-8fe6-43da-a6fa-c3887e39a271,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\TPV1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3133c00-86da-4f73-8e50-944798ae09a9,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcabfbd-3ea4-4eb2-a4dd-e35f9acbd557,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97bfae20-9bc7-415d-bc5b-6a8698f88df4,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,031fe6b9-dbb3-428a-8fc1-e25994d9dd40,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3f90a69-9bda-4008-9e20-de50e2434f06,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535db6f8-6c7c-4b7c-a32b-7bf59cb2d1eb,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbb9560-25b9-47b0-9ba0-90692c9fda49,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb26ef02-2653-4885-ba12-fd2ae1c5ba78,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80871969-decc-49d9-bb89-8a1cb4b39313,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9db6d7c-b8b4-4352-a679-efed783e5ebb,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdea92b5-34cf-45a6-98fd-8928fc9947c8,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,377d6978-c098-4f32-b4b8-6a4157e30ddf,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91acc39e-8407-4750-b58a-61d4c7897fe1,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,120cc28d-deef-4842-af25-0d16cb853593,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfd52700-4901-47cf-8af7-ce1c3c49e571,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4dbf717-6b87-400e-b3e5-795e2bc87620,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b8b517e-18a7-4370-9854-7f98e2a3f557,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74425df3-053c-4afa-adcc-b3b7cae47888,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a08572c-8d06-49fc-be14-9ac724ae6fd7,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f5feefe-c655-48be-b57f-fb69dfd3b023,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc1db56-896c-48ba-8e29-59e3b79847d4,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa534f27-ebff-4d6a-b0ef-d5c66536fa40,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db220f82-77ae-418f-b27c-26df21f4404d,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b944e54e-e98e-4f5c-8384-59b97a26daca,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e78270b-a116-4abb-bfeb-7bbb16164564,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9204beb0-aa36-4827-bb13-003cc69308c1,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\MAGIX,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919be1aa-527c-41bd-a1b0-89e456dad773,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b7f600-b7ff-4110-88bf-aee040865b63,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8153ec9-94cd-4508-9d8d-ae54e5090388,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,692197f6-da31-4387-ba9e-81e7f754ba52,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26adf04f-a5da-4fc1-81b8-a718a50c3c5e,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,12ee7663-6481-4ed3-94c0-3f77c9ebbeec,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fed4c430-46a7-44d2-b3b2-4591b92e8a76,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cc03a5fd-5ddd-4915-80de-0e6a53ae7471,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2616496b-8bc5-46e2-b3a6-63548573696f,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,69628ec6-1d2f-46db-8143-775f4ffc2061,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7bd8846c-9b77-4c22-92c6-5909aeb89efc,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c452d39c-8ac3-4a57-9a15-771e9b829eec,"4/16/2021, 9:03:36.057 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5492 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,20a67607-97ac-4bbb-ad64-72121569904f,"4/16/2021, 9:03:52.859 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4980 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3851b2d5-7306-460e-a6b3-5dafe93857f6,"4/16/2021, 9:03:52.859 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b1078e6d-b276-49ac-aa7d-983792f69304,"4/16/2021, 9:03:52.859 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7a49a436-baed-45b5-98c4-e4263b17c43a,"4/16/2021, 9:03:52.859 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,53010f32-2d0e-468d-8d9d-075b5e1852cb,"4/16/2021, 9:03:52.859 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e799adee-8b24-48ee-9f0c-d57173834374,"4/16/2021, 9:03:52.859 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,659e9e82-899f-47c9-bf76-42e3091646e6,"4/16/2021, 9:01:09.865 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d861f27-7bd6-4577-aa32-253637a38994,"4/16/2021, 9:01:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2560 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fd2fd183-7774-4aa3-987d-fa32653e6090,"4/16/2021, 9:01:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84c1686a-b3fa-4da6-9ff1-0762f6258c2b,"4/16/2021, 9:01:09.865 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ac2e792f-a6b9-4e23-b2c8-96c9d1e36fef,"4/16/2021, 9:01:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6028 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5517d5bc-437a-452b-bb62-4f550a47e2a4,"4/16/2021, 9:04:06.724 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc91c404-87c9-4ba6-b50c-d951dd4896c2,"4/16/2021, 9:04:06.724 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b11e19e7-5ae4-406d-9a39-e34fcb1b9e91,"4/16/2021, 9:04:06.724 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e24c22b3-1a4f-4d7a-9585-2fc2a96078b4,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb76ac64-7bdb-4c91-9b3b-2f215e4de312,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f0ec3d5-01c3-4f81-b1cf-bd7ffe8bbce1,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\SSH,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30b87e7b-106f-4346-bc26-64343373ba1d,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4d43aaa-ea2b-4bb7-9999-23dd7894b4bb,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4e286d6-3791-41d6-ac80-f12c83b6af22,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae224d03-025c-43a9-aa87-17a5b773c4dd,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c75df29-515a-4da1-a619-7775ebd49c65,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2578289-6cc9-4c2b-814c-9cb087811626,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89409cec-2073-489f-82a7-f4ba468732c0,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e749ead8-d95f-4d47-a27a-b0171dfc8c0d,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\EYO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3325962e-783f-4737-b02f-911f2689c021,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13065052-ffc5-4088-9f49-7955a0ae0ab9,"4/16/2021, 9:01:09.663 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08a5ce99-25f5-418b-92ae-c49d3b856ef1,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,105513c8-697d-44e0-bb5d-88e91ad95159,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a7fb23b-dabd-46ff-8c23-abf432a19264,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6ec1e20-eac7-4855-bea2-26faf79415c5,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d02cc4c-cd7b-49c7-9820-9632ca948fdc,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77d6707c-8665-410a-aee1-3f00cb8dd683,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eae12c4-a8f9-4bea-814e-d69f822a6e06,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4d09eff-6978-4038-b15c-76f18127f807,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,317697b2-2cb9-46d7-9081-43cf1d6a6b30,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6be269d-3e2c-4c4c-9ec2-71bc7d7a73de,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,47bb5893-d5bf-4174-8066-3d80bdc10e66,"4/16/2021, 9:04:08.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ca9425da-f512-4f91-a090-6f11165d217c,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bf347fd7-3eff-464b-97ba-f60f8feca348,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3a68bf83-5170-4a22-9a24-48fdde619fc3,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,7d50eb9c-071e-4f46-848b-88e7b2bfb50e,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,70de5afa-2f32-4d74-899f-e1c4f4c26940,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f7e2b4a7-4659-428d-8f07-5feb78809a84,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f17b318f-dc06-4c35-a0c4-693502b15408,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,caae4daf-8366-4101-9c05-e8fdf5310fd2,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8e2445b0-e5a8-45a8-862b-4f4442b16fa5,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0190917-90a7-47a6-8c9c-238cadc8798e,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7e2700c0-407d-4167-9db4-a3f68a1de0fa,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,102dcdf4-b366-4e85-8981-e781c142bc5c,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e401aa37-5c4a-4e0f-9125-100cc41b0639,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,07c3da91-18c1-4013-825e-bdaf88536dce,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2126c725-723a-4a32-b53b-65187baf8294,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e7d0abf5-beea-42a6-95ef-68826435e8d6,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e989af91-e2c2-49d1-a213-723f0bca80de,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14a6f38f-014f-4bfb-9ccc-57e889d18bbc,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ee3a2a56-9a05-4fe5-a24f-dca1cd076e1e,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,163d2e02-2328-4691-affc-f9075135494c,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9bf5248-b8ee-40dd-9e0f-78575f609abc,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7de0506a-fa2d-43bc-8f8b-a2247d6d7f2f,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1b83424-7f96-4d0c-9f02-15ac707ac2a2,"4/16/2021, 9:01:16.098 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,82e6fedb-0976-4589-8e5e-40e0efea4a71,"4/16/2021, 9:01:16.098 AM",,,,,,0x854, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3a20aec9-9c1c-4a45-9311-0c8045a97fd2,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3dacbed7-7849-4e79-8673-b13658034715,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 12812 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 4907DF27D7E70A824E8BD9BCDF3B222C3D8FB687A9986541432520AE204173FE + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1049 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fff1757d-a145-4051-b760-1412f8a99cee,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3445d795-9ed1-41f9-b6cc-b232cea7f90c,"4/16/2021, 9:01:20.863 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,3c8a1a71-cbe8-46a4-979e-623b4265b4e3,"4/16/2021, 9:01:20.863 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c71f1739-afcd-4664-94d3-6dcaa749878c,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4640 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b262b01b-85bb-4a00-995d-a03d5ca10387,"4/16/2021, 9:01:20.863 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a77a7ea-ffa2-42d1-95be-2ff7b96b62bc,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb7a6a8a-3332-4abe-8392-92f2ab3f9386,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64ca9d75-e5ff-4254-adc1-c24bb2cde974,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28b2cdcf-c1b7-40aa-bb14-d2a579960c3d,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbfb45c0-45d1-46f5-8401-2777c48a1b54,"4/16/2021, 9:04:21.675 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a19d323-f991-4159-830f-4f47febe230b,"4/16/2021, 9:04:21.675 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb508615-60fd-4a52-9c17-5bd789436f47,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fffa9e6-72fc-42fc-9170-ea57f185a94d,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d8f5b93-235f-4276-a48f-901462932fe9,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df91197c-d337-4284-b8f4-ec59bddb0bf9,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8d7404e-e40d-44b4-83a8-bee7053f6ab1,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52ebe1b8-b946-4c6d-9a55-58d25d8e7c9e,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cb7b505-29f4-4c9a-80e6-b1abd3740775,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7394c745-23b7-4b22-9418-33931c82f073,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7a58edd-498b-44bd-8d67-84514b4652bf,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9538e8ea-9a0d-42db-bc2f-84add78daee7,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85e6d417-e3fc-4c5d-8669-1ae75f2e2d4b,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,077f0d40-5e24-4509-a566-862c81081d88,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2dd6260-2828-4546-87d4-a3d2ce27210b,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f7c35f8-b61f-4f00-bdf0-024643730a11,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4a8cf7c-e4ac-44d7-8292-745b3cbd3d8a,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa8a71d8-c9cd-4254-98e9-91fdb49887d4,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0d41c7e-7d4c-4e07-90ad-aed2de185375,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e43c5772-3158-4a55-b9a4-d68363c6ea1e,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\SERVICE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a1c0ef-fec4-4b34-b268-cbd9929a27f0,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef4db33f-b474-4ace-aca4-c79934150a76,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c871b201-2375-4a08-b62b-f9ed16320f1f,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eba47ea2-ad50-4ba7-bb66-aa90b3170dd1,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400e4da3-14f6-45ea-bde4-a4c6f779c1f4,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42f0fa81-026c-44b5-b5b2-680342ccbbac,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb7c626d-0c8c-4c03-9a4e-28c95f0cbb81,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d729631-4ddb-4156-a39f-a4197f37ac15,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5194e468-c22f-4631-8711-2f130e881250,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,236bf545-d5c6-4758-aaa2-ee92083342b1,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,183f43bd-e7b8-4fdb-a6df-9b9140aba35c,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f3545bd-bc75-41c7-9432-d50d1e8c0470,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30ff7b9-0445-49bf-b653-bff9129e0c3a,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,39835f43-74ef-40db-bc16-768fe1651edb,"4/16/2021, 9:01:22.124 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,048bd090-5a27-447a-beb1-fdadaac9c221,"4/16/2021, 9:01:22.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1c6a106-c289-4e92-ad24-1be0ff629922,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b4c9cf0-b27c-46dc-912a-bcc561eba936,"4/16/2021, 9:01:22.124 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9092 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f7ad67b-f221-48f5-83a8-4c0433b53919,"4/16/2021, 9:01:22.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,712b8ed9-7cd1-4bb6-bcf1-cfdc91fb513f,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ecb01fa-4e2c-4ebd-806d-a823d9b5d761,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ff5a8f9-77fa-4cdf-9cff-86cdcddd6788,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,960c1ad0-32d9-4980-b4ea-69b159a0678e,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0474b16f-b8d9-407a-8f84-74931a79c627,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7736 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ffc429e5-09e1-4d9d-a259-5518edc6865c,"4/16/2021, 9:04:23.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4720 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4846f1fb-e2d7-47cd-89cc-e2b37116ef0e,"4/16/2021, 9:04:23.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6600 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,14560dbc-30fb-47a2-8c52-0e389da4ce6e,"4/16/2021, 9:04:23.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13292 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,63f974a4-e1d6-4adb-ad18-a577ec239b3c,"4/16/2021, 9:04:23.270 AM",,,,,,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 6960 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e19ef685-2df1-46ca-addb-c347f0f73c14,"4/16/2021, 9:04:23.270 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,7640a30a-40c8-4e75-bd8a-f96e57a307e0,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,27bdf465-2b18-460f-9a1c-cdba5aac53e7,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3660 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c33d1b4-ca7d-46b0-a4c8-f7d96e5cf046,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4a618946-47de-453c-b2f4-c0ed32070cbf,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4cf7ce30-92df-42ea-9c98-f77c585672c3,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8600 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3891cb36-05e5-4cd8-8a0f-b7f71e0c7973,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 484 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9258b2f-e65d-4992-97a4-aafc2ede82da,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7928 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b8e10d71-e9a8-4eeb-bdd8-7344d6d35bee,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f48fd675-a925-47ea-8f0c-d1328035330c,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1172 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dc3e450f-b408-4cac-8a17-7f666c2dd637,"4/16/2021, 9:04:36.486 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,db25ef34-b78b-4ea9-80e7-68d443e10df0,"4/16/2021, 9:04:36.486 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c9ce5ca-d209-4f43-a0f1-8d4e56b6105f,"4/16/2021, 9:04:36.486 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,36fac12c-83d3-4869-86f1-593a6403ba6b,"4/16/2021, 9:04:36.486 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3808 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f699292a-761e-49a6-bf1a-f99cb9c776c3,"4/16/2021, 9:04:36.486 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5868 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ccb7a098-db2d-4212-b62c-33854b59bd96,"4/16/2021, 9:04:36.486 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5448e815-8f2e-45ec-9839-abf2bff6b16e,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c86e6da-d9e3-4f17-8c5e-8ffab433ab63,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0b29ad02-062d-4b56-9bf4-5d4853042aa5,"4/16/2021, 9:04:36.486 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ce2dbd84-0fab-4113-9e82-bcc56e70d82b,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\OVB,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b4c63ee1-468d-4c0c-a6a6-72e97ab11b2b,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ea2a7d82-dd31-4ff3-b8f4-4101dc3f9484,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5065f8f-33bb-4e95-877a-21b2958108aa,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bcb32f9-343c-4fe8-a338-6a9f5bebb056,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a034bb13-d336-40bd-8ae6-f0165cd676c9,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9387d9eb-acc8-443f-be8a-a40b8a3ec3a4,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a314f4bf-ddc8-41d6-9369-8a8990996674,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,954135f6-3941-4b67-98b4-688ea01555ab,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd0c555b-14a9-4c2a-a37a-ff44a4ee9465,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6ee9ac-2856-4941-8007-a39c0925e6ac,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e936f55-c84a-43e1-acf6-934b6bad5f37,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0c4dc27-a2e7-49cb-8b22-0f00e1bdd37f,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69f02cbc-9f31-4f34-95b9-4433e8f123a5,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32ab500-8603-45e4-9336-4de11c36ae27,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50709909-c0e8-4990-8f5b-241614d84753,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ded87d98-f30a-47f3-b63b-f4c1a8971c62,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1cf68e0-a0ac-4a7b-9350-6cd7694c6f4e,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d18b325-1f06-468b-ad07-d06f92490241,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17ea9d8b-cf55-49a5-b870-42fe4232b300,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385edb10-e410-4490-96d5-e8a80a3e6469,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96555968-d549-4030-b0bc-dac604c90a6f,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d44d8cc-278c-4503-933f-7507c3447555,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46b50a88-a920-402f-acf3-19344f1beb0e,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d124ffa-9a2d-422c-9079-a95dc5879a5d,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93f5b8e2-35ce-4559-a3b9-16a5da985203,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7867393a-3b64-480a-a861-ef76f2ebaa06,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ad2f354-17f7-41fc-8f41-044334f6c330,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77746d05-f274-4c2d-98e2-ef5e20a54fcd,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9f6e2234-841c-494c-bec5-b8385af2fd13,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8c8a6cf7-4e1c-4f94-88b7-69afcf9813d3,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa82c71a-229a-4ae0-b681-e70d0d261da5,"4/16/2021, 9:04:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fc4e93c3-5a0c-44ee-bfc9-429ece0e82e5,"4/16/2021, 9:04:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1d07729f-66f0-46bc-a12f-8751009f2e81,"4/16/2021, 9:04:43.066 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3cb5835-421f-4798-bd4b-b18418602f70,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54514706-e965-477c-966a-4d20d6c7ed5e,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a78fd2b6-3f98-435b-9baa-bd110788dfbc,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54455091-bc50-48b7-b170-8cefd0082e74,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b273e10-390d-43fe-8fb4-3aeee142fd53,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add3512d-b0b3-4fe7-8221-289f9c2c8cf7,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\CUSTOMERSERVICE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87a1782-90eb-4a52-9f71-6a92ccfea271,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24251332-9b6e-4d41-959a-717f11474b68,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0bee55-d0a0-4cff-a081-d757732d3abf,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18ae38cc-d7b6-44ca-b534-2535cc19190f,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9483084-ee67-477b-93d6-36941c78939e,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac0f510-73dd-4c4f-8ec1-997daedbdfef,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02a5ea85-9afc-4426-96f9-0ee64c5672e7,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a56d822e-8d63-47f4-b28e-db8900822a9d,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2e50db3-2fb2-4445-abfe-1014a4ccf5bf,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b9e18a-7448-4c3e-8c08-4efbeb5fd063,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,f6c749dd-b78e-45df-97ed-345c74c16845,"4/16/2021, 9:01:32.188 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01cd8da5-783d-4c55-9a81-daf56698848f,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c112162-9629-44c6-af9e-1dfba7b226cc,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8e69199-6e50-4abd-82f4-c48405a94762,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a95f44de-1306-41cd-b6a2-5c262301fad0,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ce74d6-5142-4fc2-b72e-33ab927797b7,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26073faf-2bc0-4359-bea2-148d47b0bd8a,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49f8066c-1205-42f1-9865-846cefa6d989,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b4a26f-bf08-4968-8a10-134766562182,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fa450a7-d6e9-44b9-9422-6c64890f009b,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,27d77c8f-1578-4b75-a3f0-8c7c96853f8f,"4/16/2021, 9:04:44.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14500 + 70 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSEIR.EXE + 32 + 0A66182851BB6684883823A7F8BCF017BB30C761FB3241CC2CB0CAA19FA8E6FE + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSEIR.EXE\10.7411.17763.1697 + 0x3e7 + 72 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3f222d51-f72a-4359-a9fc-f1d1a3767ebc,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,94f7ef3d-73af-414f-adcc-0f6220e4acd6,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11192 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,698f1680-4772-4228-b4d5-78a885844250,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7140 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5e65db4d-a3be-40df-ba34-90275527f420,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c2e510e3-a368-4cb4-b72d-cb9cdd2dfa61,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5132 + 53 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE + 32 + 93CB38075CB505D501DE5D71B27AC877FCA882165EAC47CE236CCD00DEC982A0 + 100 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CSC.EXE\4.7.3190.00 + 0x3e7 + 55 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,93d18eb3-17c0-4c88-9cd3-a426c8b37cca,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8020 + 56 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CVTRES.EXE + 32 + DD01CFD8B16DBBBE45FE684F384AC9FDB0B7FC46A78E3330354FCB71F2DAC98B + 105 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CVTRES.EXE\12.0.52519.00 + 0x3e7 + 58 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a0695066-544e-485e-a53c-8f4208ac63c0,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2180 + 18 + %SYSTEM32%\NET.EXE + 32 + 2D16BF609CB22E6F923D76098B47F619FE2CEF93E28961810069C30ACAF789B8 + 113 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NET.EXE\10.0.17763.01 + 0x3e7 + 27 + C:\windows\system32\net.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,436a63f0-0dc2-41eb-984e-4d93444bf1e0,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6212 + 19 + %SYSTEM32%\NET1.EXE + 32 + 6204A84B2E0F6EFBEFD50D51756EF7C92889EB91E2C5FBC705B898030A55D35B + 114 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NET1.EXE\10.0.17763.01 + 0x3e7 + 28 + C:\windows\system32\net1.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,551d2982-2121-4107-8d75-71f525e2204e,"4/16/2021, 9:04:47.100 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9802441-e179-4d26-9b82-2a380de3ce72,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25af53ea-ca5b-43b2-8f8b-d00d89a91d6f,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebf5ec63-e829-4f2f-888a-594aae4b13ec,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,240f7389-4d60-451d-ad3c-e0e3e1e26776,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77db91da-1bbc-4c51-baf9-135c68abe2b2,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84b972c3-8120-4ca8-ba98-2a163c74232b,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a720f59-e344-4738-bd45-4bd8e3509e57,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,384d7d4c-81a6-41fd-a41f-6aa2a9ce227d,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7a9fc04-c8f1-4163-b48f-3a96c3cbd7a7,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa1b94c3-50d6-4664-819f-a56dc7c30163,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31b8116a-832c-4c79-872e-e1047fda7f76,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b672c96-2dfe-47d8-af54-1616f0660d3a,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ad37442-62a0-4f42-a0d2-8ce7edce5a51,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbdbdee5-e65d-4b37-a939-3c3dcee6eb98,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb3512cc-aea0-446c-8f3c-9dbe186c43e0,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b17f593d-28b8-4223-9510-16a55e5fc37c,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5aaebc82-022e-4581-b107-a35da2ada03f,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,881bead5-a1de-4a5b-a35b-036cf1633f15,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd27a797-44b4-4e85-a913-c9073984cec6,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b1a353a-d6d8-402d-8f6c-e9d9d33b98a1,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52531bf4-d792-4873-9f3e-8e844f4e3f43,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ae70b1e-66e1-4cc5-88a3-6e445748833f,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50da4ae5-a6f8-4de0-aa86-a691bc0fd68d,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7056 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,24ec5aa7-ffb0-44e0-a721-c6da7ecf88d3,"4/16/2021, 9:04:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6520 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1238c9f1-fb3f-44b7-9654-04071eedd6c4,"4/16/2021, 9:04:52.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5a321c5c-2213-4d0a-9111-9d67dfb5a1d3,"4/16/2021, 9:04:52.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9a156e44-554f-4373-a752-895053363252,"4/16/2021, 9:04:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0de73c39-305e-4745-a0fc-ccbd3cc24f72,"4/16/2021, 9:04:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4724b8b7-60d9-4b01-a820-7a28d1cc8393,"4/16/2021, 9:04:52.732 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945a6c7c-bad9-434a-acef-48b97e732138,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaf8d442-957c-4343-b989-2e9e27029729,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419dd0ba-41b4-4b54-8dcb-a40f0a889595,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd82412f-0659-4a4e-b748-56c29ac9fe65,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46308b99-67af-47d1-997c-df3d4e02a1c0,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852033aa-b77d-427e-87d9-9851928dd535,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d695af-1cb2-44db-8116-5b32ab0f5d67,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c466b9f-af8f-4c3e-bb19-bc1abf8a706b,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c5b3416-9e6e-40bc-ae4b-f7188fad2dcd,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25280472-717f-4726-9e1b-20633aa1d266,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0be1ee1-273f-4dee-b962-1c4803a7fd21,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e383acf6-8d98-42ed-b7c8-71ace7492ae2,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b801fdf6-ee35-4bc8-9fb0-5e33876b0d97,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bdbf51b-85e1-453e-ad31-c69411651025,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fbc2bfb-ac1e-4866-9851-f1305383335d,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5412d07-88a2-49e5-be48-d83e2dddf769,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79fe0f8f-910d-4101-ba13-c821b6e8d256,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,536dfb0d-6403-4ed1-81f6-ee7f2bea576f,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06843047-f32c-4e5a-824b-17edb89960b1,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b36f24a-ff52-47d1-8f54-f8c069331592,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b35db10-5fde-428b-af0b-308429482675,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,262b17f7-6db7-494f-88b7-2aa97fc2c9cf,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96cf14e6-2ad7-418c-97ea-216ba06225fe,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,098bf008-485d-47db-857d-a5fc7a5fe7bc,"4/16/2021, 9:05:03.671 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a496048-c314-4f93-a141-561e58816890,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13150f0b-7bc7-4057-ad82-b9afde3ef624,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9536e795-d31f-4408-8a3e-7e710644f3b0,"4/16/2021, 9:05:03.671 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ac027d0-7e62-4660-9fac-658b3fc0d654,"4/16/2021, 9:05:03.671 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b24da77-02e0-4ac9-b4b1-228834c56227,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b74786f-30f7-4b26-97d0-1b529192aeed,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\DAVID,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f75437e6-cb95-413e-8b89-fa17497ee30b,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47919a9b-d97c-44d2-964d-e40aaae617a7,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a4c480e-9f61-4b3d-a7d8-13057bc44432,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aca628ac-9c08-4ff3-a8e2-064cab0bf546,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67ebf70e-19db-426e-b5cc-455b5e90830f,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b8e383f-d463-4a4c-b8b0-03ec262b3fd2,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6047d950-9890-4315-ae5d-b57be989aeff,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4079378c-3e55-46e4-817a-da2c32fae1fb,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,514f9106-b481-48b6-88e5-ad71d4225079,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a214ac2c-6639-4f99-b838-c0421006ced0,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1a9fe4f-d743-4207-ac07-216e41705254,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\UJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e4657a1-1e32-4c3b-95ab-dbf98a05e74d,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6adf43df-6889-4773-9c34-57c6c9605563,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,724b4b7b-59b6-4fa8-9fe7-62c289d6b983,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b992a43-a054-4cb7-9182-4b2e029b4b4f,"4/16/2021, 9:05:03.671 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95876a75-0c41-468b-84f1-627ee2f6919d,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45449d47-0e72-4aec-babc-6054353f8eca,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ed4ffbf7-678e-4b17-8c9c-469d3f239404,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,951e2cd4-b609-42f9-b01c-ebde6376eb3e,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,30c48202-f468-45b5-86f6-8a9373e9c53a,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,74ececc0-41ef-4891-bb74-e7053ca5d364,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4932 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,61ab9d1f-ff67-4be0-86a7-db4bd6586dd0,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3220 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,920c2214-d346-4b81-a2b8-715abdc0d6c2,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4893d702-98a8-455b-ace5-e46467742d8e,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b4e816cc-7b64-4e26-9c7c-fa34438b27fc,"4/16/2021, 9:01:46.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ecf8f722-5af3-4668-ac8a-3e3b3e191e45,"4/16/2021, 9:01:46.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf12a48e-67aa-44eb-86cf-fe7488c8533a,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af29ac01-b52d-4b74-92db-1b4b19eeee1f,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6940 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1681b3d1-579a-4956-906d-d2e3b93c9d47,"4/16/2021, 9:01:46.732 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,430adbb0-c447-42d0-9af7-454ec716d1c2,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50a7ecb1-4de0-41d8-bd6b-91fc63279d06,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98b2ccab-9392-4c37-af08-8e024cd8b92c,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c98ec7d6-e662-4dc8-b8b6-a0d7f77938dc,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6943f585-7941-447c-97c5-d8a9b1ea8391,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6de72a-5274-4209-aa91-8f5614b345fa,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57839a76-fb8a-4daa-aa09-a3a2b072f396,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0764a30-d842-471b-8160-0146bf0bcd1b,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85750969-de24-413f-b2f9-83fa3a0e61a7,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61bc4ac4-e424-4570-8292-981c8978b942,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c01dbd-7f3e-4ea6-8b56-e15eea2895ba,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7e2f6b3-defe-4011-a1a4-2fbd16ff568f,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1930659c-f87b-4cd2-93c7-ff10d142d22f,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\FTPUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31c5bf81-ebd8-4623-81e2-eae3b3bb5a38,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9fc328a-bca3-4a2d-8f42-ec9942b123e1,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d07ab99-2ce5-4b07-90be-4d2c99b28e63,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9d1b10-794d-4498-bc92-f82b6ec8952c,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3701afec-f428-4f81-8345-e08f8c93dbf8,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,160729ef-ba8b-4e44-8e7f-5988fe5c806e,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4864809c-f296-45a3-bade-cfc7acc71ea8,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16ee00d8-8996-490f-a8a8-2f919dc5c788,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b81b05df-f0a7-43c0-b530-a82b360a5fec,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,4450a4fe-8b00-400d-9ffe-40a8f1378fd9,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,b3ab6744-2585-4c3d-bf51-dd54c30c0f77,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + sarahf + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1000 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,2e6918f3-0e3c-4228-8c30-ade338f0e469,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + cris + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1001 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,0dafd692-899e-4ba9-9f21-886587fd2fe9,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + cris + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1001 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,488d40f8-616b-4661-968d-098bab65dea0,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-503 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,c2de69b9-ab7b-455a-9a39-bb86cf0bfb18,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-501 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,bd867945-01c4-4471-824e-95f892b40046,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,e719de28-e20e-4c9d-b0b8-c60829b0442b,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + sarahf + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1000 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,e8c057a1-73c1-4592-a69a-3660c95d90db,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-504 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,55ddec21-58e0-4e2b-af98-e21e78d12f94,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,5c3c9a12-968c-4601-b5c9-3df75ee9baed,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,05c66b1a-d47e-490f-9917-4764b8a91757,"4/16/2021, 9:01:47.057 AM",,,,,,0x0, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e57d0de7-e44d-4ae1-b1e4-c6f52dc82f46,"4/16/2021, 9:01:47.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,b137cf53-f610-4e2a-bf96-d3b6d3900afb,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa2c042a-6588-45e2-86c7-5242299aa236,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6f407f1e-55bb-4368-87b9-944436c4ddf4,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5caa41e4-d895-4c59-8bd1-4be4d3416124,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,20a00745-98e1-4c52-acd7-cda102b554d7,"4/16/2021, 9:01:47.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4e22126b-089b-4add-932f-fefe889624c3,"4/16/2021, 9:01:47.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2e7cafdd-e17a-4023-986a-a973eea2dda9,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bfddda78-cd61-4389-b970-b9ad74098362,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16ecf2db-5aa7-43cd-a224-7571aaca3c06,"4/16/2021, 9:01:47.057 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6384 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9080cefd-d878-41de-8205-81b94794b0a1,"4/16/2021, 9:05:08.716 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3564 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c077a18f-60f2-4b66-a526-59d50269d3a4,"4/16/2021, 9:01:50.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ea6bd1eb-b37c-4da8-95da-98e35a6dd034,"4/16/2021, 9:01:50.280 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68bfed01-0951-40a3-8e75-e84dfd3f1d75,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e7cc680-faf3-4eaa-ba94-b72094e7802f,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04212805-c645-4784-a31f-32375dd263c5,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f19542ba-b6ed-4989-ab08-640b67650c76,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f739b9ae-af05-418b-a53c-0e7b0598d142,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5185b908-6489-418d-85c3-bf55fc05ef01,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2cf1bd0-0061-4928-9d3d-a4f3e3fb54b5,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6417d7d1-97af-46fe-818d-84c5b52bbc0a,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a054ef6f-6862-4023-9a4a-9cd1f9265e8e,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b7c08a2-ecd6-4443-a256-9a1959ed8de7,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e3ce09-6c37-43e5-892a-23f9e7c90c9a,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f953054c-47e5-4360-97b2-157ef41b149d,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1728aed8-7604-4c31-82b4-b27edd56f573,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,046fb918-6628-45b8-9d99-1fd15bee43fe,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1c2646d-5fa6-43bb-9b80-cbf92a2bb47c,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e626bfba-bb41-4711-b454-02e726f979ae,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb6d7d32-16aa-46c7-9740-c869d29c7577,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9d2f59c-b24b-4437-b8c4-d284e82f9404,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5cbfc8-637f-4a4b-bf47-2d1f34fd9e97,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a954b026-14f9-4e31-973e-19687da72912,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9a5ea1-d43f-413f-ae16-0d0eadf576e3,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68d28228-532a-40af-9c20-160956235db3,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38018413-e33e-4052-9d7f-b8d850a13db6,"4/16/2021, 9:05:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8084 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4ce7b2f-8e83-415c-bee3-9342ceed52af,"4/16/2021, 9:05:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fcb3b34c-2842-4d25-b279-f8a0bf61bf56,"4/16/2021, 9:05:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93710aa6-bd0f-4a6d-b681-a9a0ff450b42,"4/16/2021, 9:05:41.411 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,436197b3-2430-47be-8dc7-a4db94620267,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,63587ae3-ce64-4620-b58d-4734e06e2a14,"4/16/2021, 9:05:41.411 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2a9457be-3f69-488a-9078-a6c88feb0012,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\GUEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bae23409-2977-429b-ac0d-52c3eee69af9,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d6f7166-a4af-4679-bc6b-21413c80e6e2,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6453899-f523-4de4-8cd6-13d7c990183b,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\SCANNER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0d3ebfa8-0138-4e5d-9dd2-f18a01b8a73f,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02a1d7c3-73e1-4f24-b1f3-42f23f6a5fc3,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62c55dc9-97a5-4575-9f11-268201a8fc12,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\VOICEMAIL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91014d7-cffc-4227-b78d-90af8fb0c8b9,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7ba756-9994-49b6-aa1a-4c0fd8f33487,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,459fec78-81b7-4e2a-a1b0-27c8f9ff7234,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49b91330-7028-4055-8b42-3794c5236227,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c98394cf-c338-4f66-9991-2213dce23da4,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0099b90d-6f9e-462d-8b0c-ce44682761dd,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4493dfb-d4f6-4a25-a983-564db03b62bd,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9470fabe-5928-41f7-9fe3-c21bbfe2c0ab,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e353114c-5f6f-4e25-8a17-160965e1ad48,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4edd340-e594-4923-a018-6333eab9386c,"4/16/2021, 9:01:53.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,386a534c-1f1f-4465-ba6d-57cc69097b53,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7528 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7878d13-3209-462c-9606-6ce05b448a96,"4/16/2021, 9:01:53.120 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,987d1d4a-f3f6-4835-b5b4-98cbca76a53e,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fcaa96d-91b5-44fd-aef8-23699eb513b2,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1049f0f2-cbf8-47f4-a0b2-aac34817c254,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6af29054-838f-4d11-a1e3-6e6f425ff436,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbb9339-6fff-4e45-89da-bc416efb6ca5,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a8fe7f-aef8-4e28-b5f6-82e4f3bf1e3a,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bfc1ff8-2ab1-4784-af96-5622d1ec4fe5,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42e64542-0ec6-45c1-ba24-662b33be2b08,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e223745-7534-477e-979d-2eb0c196b8b9,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1ae734a-2d7f-4e94-822c-745a5097062e,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d71f6ca-36b2-4e6f-bb10-d26993eb3868,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30884853-96d3-491c-b58e-0b209eaef5f6,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f65fd96c-2af4-41b2-a036-93a8b49219b7,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbda0fdf-3d8a-4f8f-b701-ee8bc6d0cbf8,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc4294e1-1ce3-45ba-b1fa-4b625dadad37,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5ca64fd-1613-494a-89fe-8f0653264a85,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31c11271-1b0d-4da7-a2a2-df2f67fce177,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed180d1f-8156-4d03-9723-a4b086427ab7,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47ecfdb4-52c8-427b-94b2-f35a2ed77211,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,683fcb33-7662-4917-b511-20f5d866e2b9,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16b2d3b3-69b2-4c04-ba95-d474c19c142a,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf500fa-e812-45f1-9537-e71d57f86759,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f879a4ba-b5e7-4ad8-a791-7fd52662cb62,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,091e2937-586a-441d-ab3e-acd6a83703b1,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2fa437a-0f92-4543-acb6-82cae77f40bd,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3b8afc-b71c-416f-badd-4408cd9f6fd9,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5533dad-e96f-4345-b354-6e6b9042ecda,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f67f7db7-3498-49b3-94b3-500ee602ffc2,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99bf820c-4a02-4c3b-8af5-adc085a3ef32,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eeb3201-2091-49dc-a565-d6df966d6a78,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b6fabb-f7fa-4bfa-845e-d42d001439fb,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1f85943-fc24-4b25-a22c-5456f1c69cb8,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4924 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a9ae7e91-0dbc-4a15-8b5a-6d297d17bdf7,"4/16/2021, 9:01:55.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14284 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,969a3dcc-35b1-40a4-a9f2-ea403702e3b5,"4/16/2021, 9:01:55.997 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4899d96b-4829-4a20-b704-8e66f6307bd3,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c205059e-3651-4873-8169-dff1d8958d6d,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8fdba5d-b6fa-4f4c-b9fe-fcec8a90ed85,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\CJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b258b6e3-6b93-412a-81c4-2c5e378bf84b,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a87d8aba-59c4-4252-9170-d4ec19abefd4,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71fcaaf4-23ec-4f5a-8d95-1e8ec0e76f03,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d95fceb-41c4-4fa8-8899-896b1aee7bbc,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a78cc50b-2bac-4c44-8241-c892af7942e7,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9cc1403-562d-4174-aab4-c0503f800f50,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8aec85c-f67e-4560-817b-d22f59accbfc,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1f63426-3245-46fe-bb33-36277846e590,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,849f5c18-9a52-4766-8a7b-5b23b845f8ff,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06973aea-efdd-41dc-bf33-8393f63b1949,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95cacb54-8eac-4a3a-b4d5-f9f399a1cffe,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40b0d896-0f09-40cf-8b4d-9814a20ff52e,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe1466f6-a857-49e2-a5cf-585888aee142,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6092af7-8d91-42a1-9290-d64350380038,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5446ca36-8420-4a43-9795-887b7274c106,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2114c7f7-1ade-4e64-9c2f-912f8cb9b77e,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4648b4c-9ff5-4ca9-ba3f-1ec3421e8dc7,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35aedc17-5a78-43d9-bab5-827dfc63cec8,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b0089ff-cfdf-4f1b-af59-79f2a9cc1a19,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc7e5e02-a8d3-4e15-9773-0d1b28f290c8,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\PLF55,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af993869-6b4e-4874-afd4-5936d91aee82,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69622ef8-95a1-40c7-a594-9d7fdf302962,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40fbc8d4-1ded-4c35-a637-55ee40468038,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26366f1-8d3c-4adf-a5bc-9d928e7e269b,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc080112-23e9-42b0-a676-416039d67a8c,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a39d2940-f456-4755-9298-62c771a7e21d,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cb96144-ec5e-4417-aecf-6c58a90081e4,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18eb43c6-b987-4199-918a-187bfdefca00,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c569aa34-5217-4dfb-8039-078a68c8647f,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e95852ba-39cc-4257-a7de-4582d08620b6,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53242230-a393-4b2f-832a-b241520346b3,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c34edd01-ea56-4753-8a65-0c26e0980329,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9ab403-aa93-4532-bd0f-8b6160e0dea1,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6b99442-0ad0-4eb2-acc1-e472c215204f,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e2ad28-9c4f-46c7-8ae0-92b5b2a4b96c,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d594a98-06e9-441c-9c1f-0fb273f4cce5,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10cb12b2-ba3b-41bd-8fb2-c81b0d5367a3,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de9c0f0-e56d-47ab-8284-06b76a304a71,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f015b6e6-a049-47a5-94ff-72266b2f5e83,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,643a48bf-e59c-435f-ba8f-bffa5a3846b7,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d2178c-e048-4a46-8e8e-b680f5a11b66,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7e47b61-058c-4ba5-9224-889087aaac8a,"4/16/2021, 9:06:48.121 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2916 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,300700ff-a6e1-4d05-93bb-3e7522500538,"4/16/2021, 9:06:48.121 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8560 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f118eb2-b631-4dd0-b353-4633abf1a16c,"4/16/2021, 9:06:48.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79073eed-a478-43df-a275-7529ec59bcb3,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc5a14a0-f5d6-427d-be9b-44e12212cbbe,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd433a52-1459-4436-87de-93206e632d6f,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc0cd3e-5ff5-450c-8e33-a0107d1add1e,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5464a17c-6c8b-4788-a616-af7f81b1db60,"4/16/2021, 9:06:48.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34b9f37-9033-4fcb-ba18-eb26decf9f35,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19d35d92-32f2-4508-8bae-111ea7f1bef8,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55541fb8-582d-4756-8f41-13a304bda2a2,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,962f8297-4fc0-4597-ae09-4fd1abfbe685,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,058f5163-d200-41cc-9ba3-dc9e70c35a76,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac3be0da-b1c1-4f13-afd4-3cca92e6799b,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a16872b2-34db-4ef3-a67e-fe6e9548d1c4,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaf4dd13-1b48-4374-a15b-bfe5a06bc2c0,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19a3346a-79c6-4717-8422-1589209af684,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b7e2393-48d9-4cff-8e31-c3b045b7f995,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48df2a30-0ef0-490e-8cd4-c919eb10de1c,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d019f727-5570-45cf-83c3-995a88bdbf37,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda9f12b-1aa9-492b-85c4-a229b829d269,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,217b3541-755d-4e73-990c-1c67fcdd85ba,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,767784a0-3edc-441f-9fbf-dbd4e3653910,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eafd8e2-76a7-4895-a779-a2c8b949e801,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b6b8a7d-afbc-4de3-9cc9-109238d9406b,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,855fb5cf-169a-481d-bafd-19c98c541213,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a1678d6-92b8-438c-bef2-073ca391351d,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f508cf5b-14fd-4c14-a233-aac43a7232d8,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66f7331-372b-42d3-a90c-f318e9a2a0da,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9057becd-aa7f-4f7c-80b1-cf4e74085d93,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54d720fd-ea6a-49ae-8c66-9eae1e7974fb,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a5ae7e-c265-47e9-adb7-b2d82ca56c73,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d7ff15a-3a69-4809-8c69-a49a367d3b85,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d106571-f471-4acb-87fb-b7812e2b9cfc,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adc8d79d-d0f2-4b30-aa7f-c9629e724435,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60079aab-c516-4291-9a9f-0943b7e34118,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,102d706b-61c1-4399-9322-eaff0f660df5,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0cdcbd9-c97d-4366-b592-94673c26a282,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,661a900a-2618-4762-82bc-e9406e884264,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,32e2174d-a006-42a9-826f-1c0901070b25,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1d338a3-badf-452e-84e5-63fe04db374d,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9af54199-2662-4476-b6f3-bd2421fa8946,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11576 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4d7a9716-72cb-45e6-8c43-1eaf136ec221,"4/16/2021, 9:07:42.866 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5e084668-e1d3-4b76-88f9-b84ff11a858d,"4/16/2021, 9:07:42.866 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,21a2279a-088d-4809-9147-0e85b530b851,"4/16/2021, 9:07:42.866 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11252 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,df077334-adc8-4b35-9baf-659d6eb74cee,"4/16/2021, 9:02:03.701 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,504f1ec3-63da-4392-9ba3-a89cd2eeaf2d,"4/16/2021, 9:02:03.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9316 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a857fd9-cb81-4547-afaf-9d53efef0a9b,"4/16/2021, 9:02:03.601 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b1295493-b9eb-4a71-8310-001a771c2d32,"4/16/2021, 9:02:03.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8dc63805-228d-4be8-9304-359e6f2452ea,"4/16/2021, 9:02:03.601 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e1d5ba2-32d1-430c-ae69-b5035b423266,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f930b3f8-201f-47f3-9d8c-bac0e8201319,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a37b91db-8402-4b14-8d4d-7fca757bee1f,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db90cdc4-e0c9-4c8d-8be9-eb6107f71ea9,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcffe67b-d1e1-4dd4-b48b-404047182ef1,"4/16/2021, 9:02:07.695 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1da1b4f-0b63-41b2-9e4b-984ba41f4ea4,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16065b35-78c7-4087-a332-ea6fa830faa2,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df5e353b-b678-4afe-835f-b2ff665f2aa0,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc0d5aad-018a-4c0f-983b-0bb0f259f714,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96a0d8a6-1f9e-4973-811d-95c1b45b79f4,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89bc9861-8a5d-494e-9052-039f51476501,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa14bfa7-2ba4-4885-8f62-547b3568655a,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a33ef981-f31d-423d-a847-266333734a6a,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc99e3cb-a179-4474-8694-eef064068d0a,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,722f06dd-1f8d-4654-b34b-7db8e5b4a8b1,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2a82979-b229-4dd0-bd2c-edcdeb11a30b,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,373cf1bb-f45c-48f8-aeb1-da98c86ce5e0,"4/16/2021, 9:02:07.695 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77bcf586-f084-40ee-bb22-cde28fcb37b5,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9997b313-3ff3-418d-89dc-f3af9c7fdb78,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93e8582f-5a21-45cb-b7d8-9762f8a306e3,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7df56abb-0ced-4ac4-935a-494d7fafbe40,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65b03334-63db-4048-908c-2f3c58717503,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9362702-06b9-4bc6-bac6-b97ab31a5712,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a705a87a-7ba3-4c2f-97b7-afe459b102d1,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a2a15dd-fbcc-40cb-8a45-14ef66d7d1ae,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aafacba-d4dc-40f5-ae62-246602749b03,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b56b893-a647-4edf-84ce-42457755489a,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4fc9454-007d-4862-b91a-942564b2fadb,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a5b0ffe-042f-49cf-a6d7-c07602603cb0,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc4982e2-daf3-44c9-b61e-df2ff38d0d50,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2018f4b1-22f8-45a3-8f99-8bd75e7cc133,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9eeb48f0-995b-46b3-a16f-d15194460d15,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d75247cb-dbe3-4712-a9f4-35d89b3377f6,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c121d21-e402-4054-9188-af4f958aedb7,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,504ab00c-603b-4bc2-84df-c1ae87579986,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd5fe9d9-e9bf-43d1-9de3-691ef1557356,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abd38422-7cec-4d20-92a8-8d1e5d8950e7,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc6d1d68-19dc-4e5f-96d2-2f46625d83f7,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c400739-9bae-4aca-b8b1-536209c880ef,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97e661dd-ab5e-49ea-b2b1-cb4961b3957f,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2556e9fe-602d-4c42-8583-8ef09bbfee30,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6227ca6-bea9-41e9-b205-f1d76d795603,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,322dfe92-aeb4-424d-a86b-c4c738b872a0,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1436221-4e6d-4928-8022-88e9e04dd6ae,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12de04e6-0f52-4459-a825-bd983d19b090,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,185745b0-c765-47cc-abad-9e0e647e42b4,"4/16/2021, 9:02:09.867 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5b573928-1442-4090-ba16-34a6ec554867,"4/16/2021, 9:02:09.867 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6724 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7764d5f7-478d-4520-b12f-9cf14320a812,"4/16/2021, 9:02:09.867 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5340 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6b196b54-8c88-4de2-9353-ba5454d11e58,"4/16/2021, 9:02:09.867 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b437fd7e-e60f-4877-b6ae-c54ea50beff3,"4/16/2021, 9:02:09.867 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d305759d-0d13-423c-add5-bee99e172cbc,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a32a86-295e-42bd-85cd-afc5bb16eb61,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f290ce2-a509-4232-afe3-40145206e250,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e607da67-9be5-4e2a-81cd-4e28320e375b,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4880ac9-8c9b-4659-9788-6534fb631acc,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea10abde-de56-4c8d-8add-ea64367dae05,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,636f5665-0022-43d4-bfcc-5fc805e6070c,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4296f53a-3282-4c79-b561-d7a77c10a6d2,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b55b073-b327-47e0-b42f-e92c4e65e96e,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f47e07f7-4f95-405d-ac61-ad1fa9d4dc58,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ceedf04-d89e-4834-b5f3-ae9efb202cd1,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77882849-36d4-4dc1-985f-75d508880e99,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cbf5d54-3c9c-445c-9055-eccdce731020,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,040b3571-c599-46da-8fe5-9bcb011119fd,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,547ab0bb-374c-4813-bca8-64ec1dcb3874,"4/16/2021, 9:02:21.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5436601a-af0c-468b-aaca-e605b1d70b15,"4/16/2021, 9:02:21.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 760 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c5e513-0b12-4d16-8926-5c4db315c9da,"4/16/2021, 9:02:21.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3716 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b78ee6d-7571-420b-8331-21d0b03c938b,"4/16/2021, 9:02:21.116 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efcde993-d5c3-491d-a452-3c3412501a4d,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4c66410-242f-4a4d-8f35-7b615e6a7f50,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748dcf5f-d6c4-4917-9020-41ea7a3d4d63,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da699aa9-4cfb-4a59-8787-4edfa6f87c5a,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0c4366a-2ed0-4043-be43-e507f30017e8,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f99152bc-0078-4bd6-9413-9d00183c781c,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11216 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,071642ff-99a2-4c28-9ae1-bbc9f88013fa,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10876 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,69805080-6773-4cb9-afb2-8b850ec3b19b,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10544 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7420b376-409d-4548-ae3f-654963e440b8,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6100 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac288908-4fe2-4aec-80e9-a95a6353d263,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,db8f38d2-77a6-446d-a063-cf929ac8a7e5,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e72b9c13-c3e9-4ead-8f10-f646c4f02e2b,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e7327ba-65d8-457a-9ae5-98b4efa1a083,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bba55c3c-ef31-416c-8cff-2c5bf6f5f04c,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c5fcec2-761d-44be-8430-cb08ce56177d,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6fb7d4c1-f249-4228-a1f2-cd447f6a631d,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1656dbe3-8932-4164-bc27-d48e32c4f1a1,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a1ba0c70-813d-4d74-bdf0-0d33acb5972c,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee6bb66e-b284-4c6b-a5e2-c16aa5ae00e1,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a18563d3-50c0-4e91-b989-7adb9fb9aca2,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5e1dfa84-72fd-40bf-84c5-dc2ae9f6b5ff,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,349e2027-d1e0-47da-9e4d-14bd74de8a9a,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0aa6878a-9256-472f-9bbc-cd8428a99c9e,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4e65c387-9b04-48bb-94ff-7bfc6297607a,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f00457f5-eb6c-47aa-b9d3-9056b9d01598,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd5aee1b-d98b-4fb9-81b7-1fd7b42e099c,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,82956b85-fb80-4635-9b9b-55d1f90a6b0b,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,736c9bd3-2672-42a2-a3f9-f5b3b613536d,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6472e750-ea6a-48ec-a2ee-4c0cbd4eea6e,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e0e4026-40d5-4e7d-953c-155628e10453,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1aaaa091-47d7-4b69-9c89-ab29131de3dc,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9804a783-5e61-4faf-af54-898b49269d01,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,530b7306-6237-4d1c-a20b-fa3edacde52e,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bcd1e71a-6211-4f10-b460-de4e72999bc4,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5eb614d2-4a34-4d1a-b2cb-4dabf2461b87,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d2e779af-67de-49de-a693-e06a78262075,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,546a1fc5-f21c-42d9-9ee3-4a72c13359bd,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,2d5dc6af-f346-43ba-be03-67c297f6a950,"4/16/2021, 9:02:21.585 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,3098d4b7-84ca-4b05-b80d-129c1aaeeaab,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,c2a615a4-6a41-4656-8421-463c5f9d6181,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ddf4452-f5ec-4d93-b394-a1e2504ff4cc,"4/16/2021, 9:02:21.585 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VictimPC2$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T18:45:50Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,a6561fdc-ac82-4eb5-831d-6a38a98931f8,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,04e52ddb-2545-4238-beb4-6bbe7b00e63d,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b29dfa7c-9f6b-4bac-9e31-b7144f620a23,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e918280c-8090-422b-bfaa-49e1e4819e35,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,03d518f1-cf0e-47dd-aef3-fa123d3c955a,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aacdc136-771d-4b0c-8daf-44cba06bbf24,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cddd7d0f-b572-48ea-8e68-97eb0a7e30a2,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53220167-7932-4b27-a975-2efde42733e1,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0e84819c-865f-4db0-890b-a4b37b907bc5,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77bcc3e2-91f1-4e6a-ac1c-71bc994ca925,"4/16/2021, 9:02:23.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d167d8b2-ad84-47bb-9175-3b40d9e13efd,"4/16/2021, 9:02:23.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4740613a-8408-4015-87f6-b6fbcf995fe2,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8c0c63a-a7cd-48e8-9c39-2b15c201c17d,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fe9609f5-168d-4ae5-a2a9-d94c86833020,"4/16/2021, 9:02:23.056 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,003cd05b-13bc-4934-b338-f8d458dfa7ed,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a83baa6d-412e-4c69-99ab-a9b8dd1e05ce,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,007c96df-2d4d-4571-9d0b-9f2cdd86386a,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1a0dadf-2a09-4ada-939c-b30e95bbc7e9,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2a7b0ea-83a6-4e62-8365-56cb51a502c7,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7c89c00-7ba0-41d6-bdf9-a60ec0f42ccb,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75aae9fd-b4cd-4e28-ae6a-48d7f23257dd,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2044ac64-8c00-423c-81f3-ae8c71cd2b1b,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dc01a6a-8a64-4512-8f79-22a87bea8c6a,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ad542a0-02f5-41ec-999b-10131d88c2ce,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4123610c-3f4a-4808-b535-858be8a60868,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e11442ec-e69a-474e-be8b-f2b2eb89b095,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53a7e6b0-354f-44b0-803d-bdcde99e6d97,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67ee0596-90d5-45ad-8d73-71a4fd430a4b,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4057cf24-e158-4f94-94af-a4c3f6f6e629,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd5f1667-c964-4c28-b5ce-99aaa1a7859a,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfb18355-8dc6-4cae-85e8-c962961b82dd,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20dd0927-5763-4ccf-8a91-a1fbf5b9ff07,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf450941-6ab1-4a98-967a-22c3151da163,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64492cec-6753-4caf-b621-3b8471096644,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4047327b-d8a3-477e-a920-c460a521b806,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c01a84e9-88e6-4114-90d0-79874f4772a9,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20ae806-6193-422b-ba9b-c6d3d9afde3e,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef9a718-ca4e-49b5-b1f5-ac3fd5be1846,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71ee2c84-2682-45b8-9f32-931b99b915e8,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69cd0195-9c04-4249-8aaf-1eddb34e6d07,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3014a512-3e84-4d8f-83b5-696cff151d7d,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0755d1b-ca86-4d40-8113-28262468715d,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e82a08b6-15cf-44d7-9e21-6d9283c8ac41,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f37fbebb-b127-4cef-af16-222a8c51fbce,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d2b22ba-f4b3-4b67-b4f4-4fd3a4b29b74,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1c5d8a4-e032-4fb9-8bab-5f8e2e4d14fa,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c88c9d-ef01-4163-acf7-48af710181a0,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6527f4d-a97f-44bc-9fa6-fc1e92dd677f,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a94a9b99-bb2f-4bee-a2bb-512ac64bc82b,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa060145-4758-4a4b-a971-4c876fb6c5b4,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97c569b5-250c-47e1-a751-00ec7066ca87,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eafad48b-682c-4d7b-aba9-72e6d8819423,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6db63b46-7580-4fea-9d03-80c94b98549e,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df9acfe-61e2-4258-9aaa-c60634ea8901,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd493370-ef11-4e55-bee5-1321c5b41513,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40549f80-b516-43cb-884e-49867222b2a3,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d3343f-7ee9-4104-ab3a-fc9a6e5ccee1,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc4e2ffe-94f2-49f0-859d-dddd683150d3,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27edf471-8217-4bfc-b2d4-6763421af95b,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ce9d9a2-770f-4dd0-ab3c-690d1d418f4e,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1e09b12-b113-42bf-8c12-ceffde1febb4,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1695296-e4d8-4995-870c-29d6b2bf0570,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 6700 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f3a9e40f-e31d-495e-bc3c-16ca9df746a9,"4/16/2021, 9:02:31.267 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5664 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3b933aba-42bd-4273-87c1-9a106f71639f,"4/16/2021, 9:02:31.267 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9418f3c5-6e37-4ece-8c13-82a219cc50aa,"4/16/2021, 9:02:31.267 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ad7c7a1-4e97-4767-9443-9072d1e3339d,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84623b66-f004-421c-aa85-a6e0441118fa,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d7d4609-6305-439c-b29b-b77b4997aeb4,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b4e0d4a-afd6-443e-9c62-e41bbb93ac83,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cc261a6-930c-4949-a86a-f85ca2b298f9,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,381aaa42-90e1-4a16-a5b3-d3f79957d7e2,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b6854b6-8271-422f-a838-06a3740e8ef2,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d31972-2b9e-4817-962d-f62e36f9b1ec,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,457b7bc5-fdac-4fcf-a18d-4775eab94c18,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c281bbf-c530-4992-86ce-6944b0cf2e8d,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bda58336-5aa4-4579-a087-0d1736639e62,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe512cc9-62fe-4a74-907b-995fd5800cbd,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4e63f0d-988c-4492-848d-c3b235af04e1,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dfa9ede-4bdf-46b1-b1d1-ea88868751e7,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b966b84d-04b6-4d0d-b88b-abb97faf2a38,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bd3a103-fa04-47cc-a8ca-c9e4fc132fb8,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a187d1a-0fd9-447a-8449-50398dc730f8,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9455bc8f-dca5-4a8c-a157-ec0a6aa5f161,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd075c65-81e0-4a35-95bd-9097fdb8ce11,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,972e52a2-34b6-4728-a2d9-f42b0b70c954,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b956cc3-ff2f-4002-96d4-581236b4cab7,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecd38a51-5139-47fa-85ad-5a0ca80da2be,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,db2dda93-860d-4e47-90f6-5ab0f5370747,"4/16/2021, 9:02:36.120 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87396eb5-0c0f-4a76-8931-19eb4df648c2,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed43d59-f479-4cfc-87d4-faae68ccc90f,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a057d919-c36d-48d0-a6c8-34cf6fee3cf0,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad052bbe-17fb-4c4c-9ae3-fc0fa995f177,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49430642-f50c-4a50-bee3-319a7ff45898,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ce31404-df3c-4e60-89dd-4e77bdfa729f,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12c88982-fde5-47a0-9ab8-a306607a1991,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99df3cff-e11b-4bb4-af8c-c70d7b566118,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9d646d7-a30f-49bd-9e1e-c6b15961fc15,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74d6679f-1c78-474e-b8a9-bf0d2c5ff1c9,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8de85564-101a-459e-8a08-555d479ac0bf,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2f8a2ff-5c2f-4baf-9cf7-b32764f72aa6,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d10d0111-bf15-4fca-8450-529724e2c54d,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19fec11f-2862-42a2-a3da-794d0dca6d10,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28bf3f4d-8287-40fc-97cc-95df7ec95184,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,587cee86-e7f6-4a54-bb54-c411c1381913,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20ba8c2a-1be0-470a-ade3-e0ea69dee6ea,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480423f9-d8b6-4193-9b1c-426afb8141e3,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30329f0d-1b41-4dac-9049-d87770bbf3df,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e47d520-4ed5-4e1a-b72f-f01d1f06e706,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,670b36b0-d68d-431e-9a77-215f5ed8301b,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25e79d02-311c-4b5d-b58e-b4baeb0291c0,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50bf8b62-2fb1-4481-9d7d-f2c407a0b9be,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0daed6d3-68fb-4e79-a358-9a63a3e6554f,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aab20c3-dbad-463b-9803-3f25a267b2f3,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e94becb-718e-4a3d-b98d-5daa2b8aaea0,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a6c43e6c-2174-4ee7-949a-98aca3936b1c,"4/16/2021, 9:02:38.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c2a70e7-1d00-4320-bbc3-1054747f1917,"4/16/2021, 9:02:38.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7d4b2e6-aee9-41d1-b037-d78074a11a08,"4/16/2021, 9:02:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3896 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bae9f2f-3980-43e2-bdfb-8a7de053ce02,"4/16/2021, 9:02:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f645da9-dad0-4354-8c8b-be5e57735146,"4/16/2021, 9:02:38.412 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2488ec21-6564-42ac-bc52-1b1aa33d49b0,"4/16/2021, 9:02:38.412 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3fb85b9d-1a1b-4ac1-8ae3-147015bd162f,"4/16/2021, 9:02:38.412 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e0ab07b2-286f-4277-a0ca-0fa85dad7070,"4/16/2021, 9:02:38.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa47c832-b0a2-41d6-a233-d52eb8debde3,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fdf144e-d8e0-4ae4-89e9-873109627419,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83fd5d27-1c62-41aa-a813-b7fdc705cea5,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93f363ca-beee-457a-9082-d2575022cc50,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27603166-1685-40cf-8f55-d414ce85c104,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80f05403-0a92-4171-9642-768e3b06571c,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae4e1b53-2fd0-45cb-b528-d7437944aa11,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b60c8c43-094c-46a9-bbaf-1955055e7c8e,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b98655c7-b74c-4519-9fff-d2f01e48b839,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92b5b106-ff33-4d66-9a75-8ba2e7d26f16,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\SERVER2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94e7b2b2-e468-451d-bbb3-262285603727,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d3b0a31-bf36-4944-be5e-e70c7e20ca6d,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,586d1c68-451b-4aab-85e5-ef7e3ab385fc,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4867c6ae-1593-4aed-9db5-a4dbb2d58f72,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0bc31d1-6c69-4203-a2d3-a6c2aaf85790,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6721d370-efd9-4933-8fff-9ef58fcec4b0,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,662882a8-5246-48c9-8dd8-236ec62778c8,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f232c8-ca94-4ffd-a1ab-62aa8fb5d790,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,291ef065-ab21-48c8-94d8-3d6ec2ceb865,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97178dd-5ee7-4417-8de2-1ae4bc618a90,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0afc5195-92d4-4e50-9e89-db07133bd459,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62b42e7e-0005-46af-88a7-0f69dd62c714,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d7252f7-fba5-49e2-a792-6a9b9e304cc1,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5f54a8b5-ce6f-4609-badc-281974ab0668,"4/16/2021, 9:02:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bd5ad075-751b-4962-8337-49abef9b13de,"4/16/2021, 9:02:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d69b3c6e-f018-4c3f-a300-0428cadc31ff,"4/16/2021, 9:02:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7060 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f868adcc-1390-4c25-8da5-c7f217027cf0,"4/16/2021, 9:02:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1375db33-ad8e-45b7-b7cb-95060540be07,"4/16/2021, 9:02:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d6e4a80c-519c-4209-9fda-4e9cecd4e6ae,"4/16/2021, 9:02:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10368 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7454dfdc-f53e-4da5-8f04-42936aa9c812,"4/16/2021, 9:02:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,65eb6c93-1e9b-4c99-bdf1-b8a7dd8d72bb,"4/16/2021, 9:02:56.990 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,169167d8-536e-4d29-875b-86e01d4551b8,"4/16/2021, 9:03:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1c0f341a-2a52-482c-b1de-919947be2867,"4/16/2021, 9:03:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1400 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6509439a-3043-44ec-8246-8fe06e2438be,"4/16/2021, 9:03:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4944 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f410505b-6c46-45c6-bbaa-8d8fa7aa4b6d,"4/16/2021, 9:03:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1f86248e-189c-49f5-810c-66c52e269f74,"4/16/2021, 9:03:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6676 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c35c7721-4dab-4dc5-aa9b-80054c80511b,"4/16/2021, 9:03:09.870 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,61602e82-09b6-4a6a-8b92-c8234c5df28a,"4/16/2021, 9:03:09.870 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6e3aeeb2-390a-432b-9499-273b3c290311,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +\SERVER2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2d0f3c8e-a091-4a68-8306-ed47df686cdc,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b29de4e5-6208-43f2-b878-02be262d2ba7,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed19416d-1bfc-48f0-9cac-defec1446ccb,"4/16/2021, 9:03:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7493b7ce-896a-48a7-83a6-aaeeb93115a7,"4/16/2021, 9:03:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4420 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,32ad433e-5dd9-4685-bb27-ac17130de21c,"4/16/2021, 9:03:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2356 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,96c6ac97-de6e-4eda-94d5-974664541cfb,"4/16/2021, 9:03:19.412 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9181bdbe-ccb0-4259-894c-82573a8db97f,"4/16/2021, 9:03:19.412 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,048a1552-dbc9-4652-8070-476f6c132505,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,415adf79-22af-4509-af61-1245bb408a38,"4/16/2021, 9:03:35.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10884 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,714d36f4-fa78-40d5-9ad3-fe7f0995b5c2,"4/16/2021, 9:03:35.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9712 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3d6115ff-58ed-46e4-b017-ed80923b093f,"4/16/2021, 9:03:35.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6572 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,837ab5c0-5e8d-4122-a6f4-e545289efb52,"4/16/2021, 9:03:35.584 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4d9fdb38-0d94-4591-bcd0-68c382063cc4,"4/16/2021, 9:03:35.584 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c516491c-31b8-4664-b68f-544d7b39a5bc,"4/16/2021, 9:03:35.584 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ab4cd6eb-402b-4de3-8773-1b844c49c25d,"4/16/2021, 9:03:38.907 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9152 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d60c83ff-ecba-4237-a55f-85e71e536602,"4/16/2021, 9:03:38.907 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f48274ac-cf45-491b-bd79-f9053632bb8c,"4/16/2021, 9:03:38.907 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,8ceda610-990a-4229-8dbc-8d10e5168b41,"4/16/2021, 9:03:38.907 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6756 + 75 + %PROGRAMFILES%\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OFFICEC2RCLIENT.EXE + 32 + D2B9200C624C7F5EFBE189BABB1BEE81DE8E700BEE9CA208C826DCA739EF0135 + 108 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE\OFFICEC2RCLIENT.EXE\16.0.13901.20328 + 0x3e7 + 77 + C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4af3db8d-742b-4bb4-873f-2abef5e9e5e9,"4/16/2021, 9:03:38.907 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ea4ce78-a74f-4b24-b4f8-ae493bc59e50,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dea82448-7c52-42d8-ac5b-4a1e51316900,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c0de2c0-7ab8-4ca1-8755-f644d1c46e4e,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b875cba-631d-4f62-a344-45238e92895e,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c81e85-4fda-4996-99fb-e3c55237bc52,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,475c0094-38d3-42db-a7cc-016e55b48bb9,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11da30d2-0514-4238-af6d-3e8b78207858,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e71040e3-3b41-4b3d-8554-8a4d2b6cc95c,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,849fd650-b338-4b18-bfb0-b1b0bb278100,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0cb0e6a-4aab-499d-acfa-74b83782fa6b,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97634520-c5a4-4226-be4e-9b88f86e5e97,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a80aea24-0f9e-42d6-bcfc-26b9bc2654fc,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce73b786-07a9-47b2-9c61-88767de7e105,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3270568c-cf5d-45ff-b63d-11a6d925bfa8,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2a99e31-6bb4-44bf-a325-a400d54bc683,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ae5050-c365-485c-ab4d-3d57bbd869c0,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,892948d0-9a8e-40d9-af2f-3339f7dc382e,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5c68dd5-8a3c-422f-9b45-186b68949c7c,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ed679f6-f817-4dd0-846c-4e77531d2752,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,545fec79-d1a8-4d54-8131-7d3ddcdc7721,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,350c3000-69da-4629-8cb8-82fa609c02b8,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa16f2a-82cf-4965-8297-f08da15e6098,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,101cf3ff-9f59-4ec8-aa03-8b16ca124614,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2c9ccf1-2553-4b00-a0ad-0995b97a814c,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca4f6884-8639-4fa4-a5bf-21b52d8e8027,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,585cc439-5dbc-4bb3-9af5-17b96e5a2cde,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13500 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a613e453-5367-4382-85a8-cc839dafd0ac,"4/16/2021, 9:03:55.995 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6ef50266-69f0-4758-b665-6375efc0fb06,"4/16/2021, 9:03:55.995 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c747a280-870c-4c6a-9b9a-080e5b69b5fb,"4/16/2021, 9:04:00.406 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a9d14da7-06b0-48ca-83ce-b7a9899347db,"4/16/2021, 9:04:00.406 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,528887c4-0a7d-410a-8e93-24d09d14b7e1,"4/16/2021, 9:04:00.406 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4952 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fe885358-7518-4bf2-94d8-c4ed9dffe468,"4/16/2021, 9:04:00.406 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07da1f14-1262-4371-a7aa-48f67134f715,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,596e9da4-35ba-4400-892a-93eeef3ce4b6,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d40b5073-5f82-4218-be6d-b22a5980bf7c,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08dff4a3-9265-49e1-868d-2cf85e7ea711,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ea412ae-0f01-44c2-b90a-ad61b4192010,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe552d6c-7f88-4122-b821-2fc6d2a1f6fa,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0d59ac-4212-4075-92d9-8574c23e1c97,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1416478a-13e0-444d-8a90-e444672822bf,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7569f715-245a-4248-b053-2cdaae062074,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6022aec5-a5fc-4f16-aded-b617790e8205,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd487194-5d81-47cb-85a4-5b597678d239,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a5c7d50-e047-4312-b55a-02cf8ef07782,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9058c800-7f5d-4186-b71b-4699aa4a0e0e,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,244e9c17-61e6-45ad-acc9-ea8ff8faa0ea,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40065234-6fb7-4d4a-8e3f-a0f4746c71e5,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a57d75b9-01a7-44a8-8d78-6e7f9fee0d05,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5e2fbfb-8d5c-42e7-9549-5ba0cdb66545,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97be2b50-c219-41f5-b3f9-a0a00049e8c7,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f77bba44-2151-4bee-b6f6-330191c2fd0d,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcfc36b-8293-4215-b754-bd88cae66c0e,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25043ebc-c07a-4856-85cc-be15ad2d08ba,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88ae1df4-5951-453b-809a-2b6221ea14e7,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1369b131-a15a-421b-aa53-8b9aa080931f,"4/16/2021, 9:04:03.199 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d72ca02-aa6d-452a-96aa-d4e328eede5b,"4/16/2021, 9:04:03.199 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c9242b6-bc7c-49bc-a671-448f102ec1f4,"4/16/2021, 9:04:09.891 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,496e46db-e2d0-4ca0-849a-6fffad595e1c,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1972 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d6553aae-af6e-4dac-815f-c7f45ebff031,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7040 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,363e8e1d-ea5c-4149-a8e9-97d24196714d,"4/16/2021, 9:04:09.891 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f10e3e66-5957-4f8c-bf17-7b258dce95da,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6956 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\Windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e28633d3-d37a-4cee-9a06-f671cfdbacc9,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7124 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b3f42d5e-f9be-4dec-ac05-e5ce0dd0d814,"4/16/2021, 9:04:09.891 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7450060f-9ab1-430a-9b49-67dce28453da,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e186bc0f-14bb-4ab4-bfd8-322e0072d077,"4/16/2021, 9:04:09.891 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3214239-2979-4db2-b808-4700fbfe42b4,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaabd723-81cd-41e6-84da-51c4fdbdc14f,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34a6dbc9-d283-4571-addc-f5e187208ea8,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb23e8b3-a98b-4cf6-9058-99f9b76b2c88,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,485dc036-9e04-40f9-b84d-d675d616083c,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd9faefa-1c16-441f-a82c-0879945a431f,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ae2588f-7f69-40a5-a2eb-a65c8d759369,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95b53ccd-de75-4054-a31e-a9ffe4d2bf02,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc623a93-b16a-4120-a94f-1f2d01936f84,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b222b12-2342-4c72-9169-25d7a27fb81d,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bd26f7e-4990-4f65-a130-279fb047130b,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32557f6-8390-4fd2-a101-8cd2aa12045e,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03b1dd5-7769-4e22-9fa3-830c3a5fbaea,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be5d4b8c-01f6-4ed4-b6ba-ee7bcef21f69,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91352aca-1725-49a0-ad27-d6f52942766f,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f225368d-9fe8-463c-bbca-b3e134bd65d5,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b62022de-3770-4608-8e30-0f0f04b1cb43,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69d586c9-e993-4625-ba8a-b4a1243c3d12,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ae84564-34b8-455b-9fa9-6080cc7ff72e,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24959a01-73cf-4d22-90a0-15496913b266,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3d68a23-9354-49bb-bccd-20969a7874ec,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,652b85d3-1c9e-4e9d-910e-0c50edf2e07a,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10812 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7a1219e4-7913-4051-95c8-755d6a325302,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f23f852-c893-4c96-a57b-543899ed4b52,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c0e84fd-be52-4d44-a9bd-097aeab7000d,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a0ff7b4a-7f0d-44a5-87fb-60334893235d,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8656 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,39f06b84-c7fe-446e-af94-8b999ac735f7,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,078ec9d1-ac0e-4b8e-a5b8-cff7d6b7dec9,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,f6638b82-98a5-4542-8bec-6bc0977f793f,f9122a4b-970f-49aa-a599-a65069bd1e7d,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,f6638b82-98a5-4542-8bec-6bc0977f793f,f2a52a4f-b6d4-4e7c-8981-71fbcd85039f,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,cf7710fe-a1f0-4d65-9286-4685d09afc7e,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Andrew + VictimPc + S-1-5-21-1778951011-109519560-3417497144-1030 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,79e509f3-3d63-4127-a2c3-97f01152a077,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Andrew + VictimPc + S-1-5-21-1778951011-109519560-3417497144-1030 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,15abe9d0-0850-4b77-9bdd-e2f5f6555668,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e02c612-d275-4a10-8f7d-d30863283a4b,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-503 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,71e94e48-35a0-4ee8-bb1f-036a887e7d7a,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPc + S-1-5-21-1778951011-109519560-3417497144-501 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,0b30039e-00a1-44bc-bf7e-bbc4709c0d3c,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-504 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,c517a2ee-d195-48b8-8b38-666a97a868f3,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,94b36a00-4396-4189-a515-d8b26d4726fc,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,ad3755ee-a983-4555-a9c7-195b694aa73d,"4/16/2021, 9:04:37.587 AM",,,,,,0x0, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9374d32f-04f4-41f9-8a3d-1ccdd8bf5eea,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b251c2db-a4db-4dda-8f2c-24675778676c,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2024 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1384e20c-2cf7-4378-99df-46cb70e3b120,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c20cd603-f5b8-4fae-81e7-3b7219d6c6ee,"4/16/2021, 9:04:37.587 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1c15232-c41b-4616-8859-025521c034d8,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,272996d3-6578-4630-b6ac-8ffe8b7cb27d,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\AAJZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8a91dff-c8b7-452c-b39a-8bc397132ca7,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4192f431-e1de-4e00-b503-24b642668f2b,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7bac71f-84c9-47eb-bd1a-cfe519ca16f8,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af2fb2dd-5bc8-416f-905c-493807d31975,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c76f2d4d-6202-49a8-bcb0-a0d41688c1ec,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,310e6247-8fe3-4f60-9b41-175b4fa63c61,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37be0fa5-d4aa-4861-a5c9-5eb0d95d3cb4,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6f16494-6c91-4b90-bb3f-9f469512c70c,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f79129e2-c53a-42c2-971f-c805f5ef6482,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed538038-cb8d-4f80-9178-770e597f8259,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35896d78-5d05-4aaf-bb53-a6600249c266,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,caa2aff9-8cc6-4a65-804d-825b905a0ea3,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca2ad4f9-00ef-4a2f-bac1-a2d9a46cf012,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfb61615-5715-4c15-b989-a58ebfc13292,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f536ab88-5d77-46a6-9797-c5bc15c6121d,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f1eed40-dafb-4fc0-a12d-38564dc4a38c,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c467cd67-6948-4dd4-87df-492e08ffad52,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50fe2f21-fe22-442c-8ff1-2e0b70a13afb,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f9b82f-63ef-4098-8303-5f16f9e8b944,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,874a8bca-0f91-4af9-a7b7-f8fc96770081,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46c38948-7c24-41fc-88b1-95c09fc6a7a3,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3ea6020-c9a9-4c4c-acbf-000509bdf7bd,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a695acb6-4131-4d2e-891e-68e58f969968,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,616812a0-5681-4e92-bb1c-5f8522417685,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88515377-00ac-4f64-a371-8943be19d5b9,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35d55c59-b3c7-473c-b179-29f0284f6ed7,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,470abd5d-afcc-49ba-9067-65640cfd6e74,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db47c995-feef-4233-b64a-aa0d62cd0365,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f641bb92-2cac-4842-83fb-68fb594a6acf,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b9dc8f0-b5a0-4f56-86e1-0c5dcdb0f02b,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,869f3005-3c49-4240-9894-b3ef8167bdc8,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1bd6a5e-5f5d-442d-923a-7957b9900f36,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a533a03-f7d7-484e-8b2c-cddfeaf37e70,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a09c91-3030-4b7c-b0c4-5e05c6a20e4a,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d19e5b3-e261-48e6-899b-7530a93a296e,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95661a7a-8a58-421c-af64-90a706e8cade,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b6b9116-b1c7-4473-a5c3-99d2ed87bf8e,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eccc3cef-c380-4da9-92b6-d95fd89c0683,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67269bd3-b701-44b3-894e-deef65c48c24,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12aa564-5be4-4300-9dcc-1eddb1fe2133,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ed3ac80-7e87-4035-87b3-73a776f075e1,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc22ee3f-7841-4e4d-8bce-16c4d9441318,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9210d27d-5994-44d6-bd34-1e77b6abff44,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77edd543-ea12-466c-98d3-246b3775b03c,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9fd49da-aed9-442f-90fd-d021ea5b9d2e,"4/16/2021, 9:05:09.863 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1d44f71a-0767-4e86-8b72-fbe408b03923,"4/16/2021, 9:05:09.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4476 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7fea2489-3462-46d1-a9e0-c3a94bb7349e,"4/16/2021, 9:05:09.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1204 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9a0e82f3-674f-4d7f-ab97-316d6e2e800e,"4/16/2021, 9:05:09.863 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,90ef1449-98f0-44a1-803e-0fbd35d154b3,"4/16/2021, 9:05:09.863 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8f362a6f-afc3-4a39-a7df-1846b73b773a,"4/16/2021, 9:05:08.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2652 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,948242df-b2b3-46cb-9c14-7eb8174ef25f,"4/16/2021, 9:05:08.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0c5a1934-7b49-4632-b0ae-1e559fa374cc,"4/16/2021, 9:05:08.599 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 3104 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 356D1FC495BBA123EE99EEB2389FB641779AC8E789C2883AC16F26376B3D8081 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.18362.1379 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,faf86184-1aa7-456e-9015-c4fd2891fe17,"4/16/2021, 9:05:08.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,027cc4af-eb67-4ec5-a8e5-eec40e6c6787,"4/16/2021, 9:05:08.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae593b8e-9213-434f-8a50-98b556eec1de,"4/16/2021, 9:05:08.599 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,218e6ac3-683f-46c9-962e-67f87aae1c0b,"4/16/2021, 9:05:08.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,22b9eb7a-95db-4938-af72-d5cd5717ab59,"4/16/2021, 9:05:08.599 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8740d4a2-2353-47f8-9336-a7267e8a0d69,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,719ecd4e-c310-4176-a98b-b705bfadb9a8,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5bc85ba-0d81-404b-b779-4aeed267b877,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8ff33545-8a52-4792-9d2d-4e64c6ee7584,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf2ac947-e488-40ae-8488-a26b16a6078d,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,18ec5fff-1119-4493-bd35-c53117f0af56,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53d3ea39-e1e0-4aa2-a74e-557db10d7c7a,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,02bbf720-3c41-4705-b86d-42f173be11db,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6dc48cf-063b-4eae-b930-060698457419,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3bc29307-a5e8-4172-9b48-f9c469c79c95,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ec5b73d1-08f5-42e2-af63-cc1b61790832,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,74adab4c-fd73-465e-a1ce-c1407f051d87,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cd60d75c-4c08-451b-855f-0218df501d34,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ac1250c-13a1-4f33-9d84-fcf4793bc830,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,352e43c4-2787-425c-96b4-4546f02d79d7,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,08f70c94-abc9-4aea-b3c6-0e897a076dd2,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e0a39cd5-7e2b-427b-bf63-a78c7dddf337,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8fb0c72-e788-4e54-9d06-7f77833c043b,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42ab96c8-83b6-4350-95dd-d7518c737023,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,30f308bd-268e-4a83-877e-9610040ce0ce,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,25522988-b1fe-4bec-9cc3-377fcba3fad7,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,62b6c304-f426-43e7-b892-61d54d15958d,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b377e559-2737-4083-b341-ce288ff95804,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,521c2e5b-fa53-47c8-b139-00bd0f57d1fd,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,90cc4c7f-7bc1-4aed-8ac2-b5be8e0b99c4,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d046960-c5dc-495d-b0b0-95a49a3eaaf1,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ecdd054-084d-4a56-baa2-231f36c207c2,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 692 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a2d0d54-64a8-44bd-a7f4-f5cbcf3ed631,"4/16/2021, 9:05:09.439 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4888 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4a361f56-c47e-4ba0-9aa4-1528c926be29,"4/16/2021, 9:05:09.439 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8863fafa-fd12-49cd-87bd-670eb81e7258,"4/16/2021, 9:05:09.439 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b9f6baa9-db5b-4d55-98ff-074f4de0d0e0,"4/16/2021, 9:05:09.439 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5d0c1a8a-a38b-4029-b00d-c79c3a52a636,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59c8b075-b5da-486a-aa4d-9503e15df610,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d1a0932-e271-4f42-9fd8-91acd2000f6e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a7e4141-30b9-4ee3-a71f-3687f094786d,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf0f6b5-df8c-40be-a473-2d9ec88e7359,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c9a72f6-ab94-4bd5-b2fc-04b209ea12c3,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53052d75-6055-41d3-89fd-86759d2d8ed2,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78d2463-d2e3-4a72-b03e-a919cfc09c2e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f0a8da9-bc2b-48e0-a2b2-ef6701de644e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c41bc2c-f078-4b7d-810f-621d57cbebc8,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c890afb3-23b8-4d61-9d7d-1fa85b30835f,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2638125-566d-49ab-9788-cc1c0a72f30a,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e06679-fdbe-49d6-8fb5-3d7fd3e31d32,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97cf2b9f-59d3-404c-941a-add88f99c8e4,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,704a9e0e-e6b4-4056-9e2d-7e250a0925d7,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e2a87ce-088f-442c-9d35-b4308dda2379,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce54b763-55f5-4d31-bb34-7e39c50127c7,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a62dfdfb-f07b-4e4f-ba7e-c916eb772d5c,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,063f662f-0262-45db-b2b8-4e1f45125c67,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef1070de-1b7f-47df-92d2-c43276baa185,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9a48eb1-3805-453b-bc3b-98eed1e80107,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3527ff5a-ba02-4434-aba6-f9801c3976bf,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1ffd337-4878-453d-b875-97fec03dc122,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b694c6e-7d11-4a29-b63e-97dc5979925e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6822349f-1751-4ba6-800b-f82bf77017f5,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44758b25-6b3e-4412-8939-d2eb26f773a7,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b100c40d-7edc-49c7-948f-abeb648273cc,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e96f585-896f-424f-8720-4dd397163f84,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9913e5-ece9-4a79-b52c-38b35c6f5bd2,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfc607c3-9986-4c1a-a792-6d89198925f6,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d968e2-492d-4f23-8389-43b3b708b2c8,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65dc93dc-6adb-471f-b308-8541d80e82ba,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,406c1944-acc1-4345-9341-1318f655c25b,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1d53ad-5eb3-4969-be65-0b7824de6a4b,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6439447-3fe8-4717-9bcf-5d810281a722,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fcefdea-71e1-48ff-9dd4-16f7bedc0a84,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,131a0650-2e75-4cbf-ad92-68440d529633,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f24723e-9725-47d9-a8ad-d7927b194f6d,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbdfbc13-b8ba-439a-b9ab-8426425838bb,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc9226e4-9aba-4ff8-b58a-4fc5f2d593b6,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,783bd0d4-a89e-4a3d-af0e-805438945870,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efffbe6-742d-45a3-89a6-7df73d4b36e6,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fa69bbd-27fd-4035-b678-e6c66a3ea83f,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ab62b79-ecb0-4681-a945-f178c48e966b,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e0a5936-712b-4d0b-afda-120b31f52543,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8d2f3db-838a-4632-9f3f-5f1c712bf68f,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c158e44a-d5a4-42a5-92c9-96030dd0207c,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f230e7ae-d512-4b3a-bfe5-7b1dffb21268,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f632a08-cc91-4e5d-be01-441b3c43a8d2,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d81d772b-05dc-4acc-94fa-3b9f73c3b9cd,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,120ac0f7-1b0f-4d01-a957-e588c51d5e9d,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a32ed03-9946-4b34-97b2-50c3afb57b79,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,364d175a-5e12-4faf-aa92-66173fd5f76b,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64cd441e-2dfa-4fe8-a2a0-011e9c1661bd,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bc4bc7c-8352-48fd-bb07-0c2df511e842,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f725f82-5f5f-4bed-998a-641d54c35d53,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\COMPUTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaa9d752-a7a9-4477-8994-266c170e1b84,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3893fe66-ec21-45d2-8b75-9384c1610f44,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c0c8cf9-b918-4132-80f3-08b85ef0a16c,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b61ba2d-46d9-498c-86b7-ae4881440617,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99f00852-6e9c-4eb5-b6f6-dee55608f96e,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8d86b77-2eb1-40dd-9d65-7394ed083eb5,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d28be3f-243b-4fa3-a6e7-263e5105c184,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17036e79-5e86-407a-83d6-61d38902fbbc,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5367fa37-a9ac-4fe4-a2b0-14b0b11b3c23,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99c7d890-35cc-43f9-97dc-b7326d2adfb5,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6efa37fb-6875-4fb8-b7fb-0ac618783b0a,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d39f783-7c75-48bd-9313-aab0911afbf0,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fcd4620-051f-4157-8f82-b656ed5a840f,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c45f192-a5a0-4615-a2cb-2e098cce15fc,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb888c03-4b2e-4084-8294-8c61b0ae2c2d,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a15b088-b5bf-4f64-8cb0-a68db84d1ccb,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaf717f1-c80b-4886-b9e2-47df755879bb,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VICTIMPC$ + CONTOSO + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-16T11:26:11Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 13510798882126509 + 3104 + 780 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab56e6ca-7f52-45be-b448-9880b985af26,"4/16/2021, 9:05:43.717 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9332 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,409e819d-083d-4ffa-90b3-5560b2c2f13f,"4/16/2021, 9:05:43.717 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bcaacabc-4da1-4d38-8e3f-1f5480766403,"4/16/2021, 9:05:43.717 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,40c65b0c-7cd9-4763-b036-c868b40f811a,"4/16/2021, 9:05:43.717 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,69368503-4d6e-4e1a-8bfb-ecbdf812cb5f,"4/16/2021, 9:05:43.717 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,12b32d29-fbae-44ab-b76b-9f88ecf3b675,"4/16/2021, 9:05:43.717 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5912 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,89ebb46e-1535-491f-a286-7f9396b559b6,"4/16/2021, 9:05:43.717 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37156cc2-4c1f-4db7-ad8e-5b35eb938aff,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1fd9549-de05-4ccc-a811-e14cc6258cf5,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,882395d3-ea2b-4d4f-8a81-9e2f96e04f81,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d10c598-dbc2-4f65-bc20-7890aab37e03,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f71ed1dc-80bf-41e8-a87c-f70c81440355,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b414c75d-f571-44d4-a4b5-e8eb5212e126,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be95de55-75a0-4840-8d2b-b6cc79af1de2,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2922461e-e77a-4e7c-a6ee-c93669cfb42b,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efc3bef-4612-47dc-8d46-6ff1af8b8dda,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,469334b6-9134-4bbc-a156-a62ab92942c6,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d048ba89-a9f6-4663-8b4a-945864ba39e0,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfaa1c25-74ae-4d8f-949d-446690a961c0,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1438ec2-c4ab-4927-ba34-a517c8ba8c96,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c0effcb-9953-444f-85ea-c1d646aa3b94,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,638d34dc-4144-4d55-a0a4-66f70002f64b,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1d5da07-782a-4f10-9df2-a70cab7608ac,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae0358ee-8e79-4f86-87bb-97ceba6b3461,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1254ff04-c31c-4064-909c-003fa34270d5,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c59add21-956c-453f-93c5-e9ae61950974,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,098a55db-4b51-4a8f-a566-89e834d1c46f,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16847c86-0142-4779-a504-68eb3f0f3869,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fba626a-349f-4072-8e60-ae122c5508e8,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5523ae3e-0c52-4d90-97fd-5e2465f1a4a8,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4783f1-50ee-485f-b936-fe2eaa710605,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5837c644-6ec5-43d6-a0d0-dca98d7c6b6d,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51b3c8f5-9db5-4748-8019-ccee24548476,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed469bc2-bfe6-4cf7-9d84-0cdc828ce53b,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,305aa7f7-2008-4a77-9264-2f3c41a33f6d,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d1d406-aedd-4498-aab8-714060931e50,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7878e72-7abb-491a-b714-53080b75806b,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18ee6f86-a6f6-421b-84fe-3e91896f904f,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc1ed0d0-9f3f-4284-b551-0d7d69950b5f,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09bbe5d8-8660-42a9-be9b-d84c0b6396b1,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,935cfe96-7ef7-4f9a-a16a-88b871c7a783,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\COUNTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79821484-327e-459a-b167-d34ee04838dd,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6904bf-2453-451b-8b36-02f909984109,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f76ab4-6711-4ea1-a2a8-5b1525902021,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16580a6f-1f9c-4cd4-88bc-a94b96fe077c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d37c8e30-cbf6-44f3-add9-a8d36be2d56c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,918aea0c-8aef-4993-bd5f-be3b3e7f766c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc75d970-0645-4433-b12a-03daec755150,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac35c2aa-855b-4430-a500-688a1edc5630,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fc8f012-ab8c-4bc0-8fd7-e70e5d91a051,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83f11ad6-4f31-471f-904f-012c06a2c1b9,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96467975-4f06-4948-9b5e-72ff4e7ab347,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d362853c-f5b6-40d7-9405-f6a1e4d3c70b,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97631078-ae72-479b-b07f-b57dd92c658c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb3d425d-43b0-4b44-a56c-7bb92ddfd531,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,375047e9-fd4f-4f77-84e8-a31ea9fc3f38,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c245de-127c-4077-b2e8-42398e35d1e1,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1f289b-3af1-4779-b480-9fe7dc5e53d5,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df9cfc8b-7fb3-4a4b-a2f4-910482760df1,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dd9f459-0b79-42f2-a015-6d74e0612a79,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1777bf01-4bae-47f4-b290-f5f2880da2a5,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,148d09f1-d0ad-4b48-a86c-35bcbbc54cd9,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,464bb987-c590-40a5-aae0-2ffaf6cad202,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93fb38c7-7930-494e-9cce-fbb6afe553bd,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f818710e-659d-405a-9f0b-ed054b5fc833,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bdd4a0c-ad0e-4911-8bad-f2a3626ead61,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50f28ffc-9296-434c-b260-daebaa579d1b,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95eefe32-9648-47a3-a147-16f30c32db17,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e46bc791-762a-4f9f-917f-c0a9bbacd6fc,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d754c68-5e29-4002-b27f-e8e160543d6d,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a8e6a8-b084-4839-bbb8-1a2317bb8134,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e00e043e-7b3b-42cd-94b5-a7bba5dd87a0,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abb6e9d2-fc60-4772-8f66-a096785a92d0,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ed2422-f693-48de-a42f-72930cb3f69e,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71b81e24-5869-4343-818b-a5e8892a76b8,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,413e81f2-e957-4ab0-af86-906d70147cc4,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e444f7b-f58b-45fe-8135-316767d24fd7,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8fa78d6-72d0-4984-9a63-7b44ed51e7bf,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17c1613c-f62c-434a-93ab-55ae5e7b1052,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6e4e8b9-3b49-4d8d-a1a5-8902fec2d70c,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fa992b5-5bb9-44bc-96c4-773c07a8c8b5,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3fb230e-0a97-405f-9782-93ae9995bb6d,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e15095d0-1c22-4b50-972a-2e949544263d,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9b22845-2403-43e7-90a4-af2627d26d29,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12cdbd15-e611-4b0d-81d6-a63edae85fb3,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66b40917-e193-4c12-a46c-e1269c4a29da,"4/16/2021, 8:34:10.578 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e228ad2-0da0-4b17-82df-a9964bf2dbb6,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45cf6920-eaac-4add-9b65-517dd002e5df,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bcf66ea-4124-427d-9c1e-3e180e27b293,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90be63c2-381a-417e-b6d5-8ed3a8626c3c,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e78450c9-1c8a-481b-9a70-32fee1fc74e7,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0283b76-51fb-40ee-a716-5a1e88dabd1e,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,090fff46-5b7e-40cb-bf62-639ecce7cf75,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c43ea75c-8120-4a7d-8733-1aba107660bf,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fd841e7-8420-4d26-99f3-f64a13f57d44,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7940b55-bbc8-44a3-8711-e14e888988fd,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38a6d6e8-8db5-485e-a774-aa08c13d092d,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d76fd6c-8db0-466b-a2ff-7bd752292296,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5471cc8-fc20-4e5b-b393-b3496f7aec75,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,814739ac-8519-446d-b90c-17fd61dd6f10,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,395944e4-5796-4721-abfc-af181e7fe754,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b8bbda9-fc8f-416a-a237-6f3b4f49793f,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a08f8f2-d823-4716-b580-72220e8c47d8,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d37e9c0e-bc22-4ae7-b8a4-c6f71645c806,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,574df63e-3760-44ad-96be-8d48ade3a92b,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dfcf428-ab93-4ca7-be94-965a1cc96b16,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b32fa1-5f1c-4a93-bc3d-33e21b8e4d66,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbb84864-5091-43ab-8a53-2c00797875b8,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75031a89-1b33-4fda-843a-17305ee5ef98,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adb0ee1c-0142-42cd-8515-e2a30ccb0012,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,841a2922-38f8-4935-b48e-4bd0e8669a42,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cd0590e-1e72-4a81-ade2-24e6ee691440,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2008f7fe-ba30-4680-9ca7-178ebf5c0868,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64f983a8-e3f8-416e-b4e0-eaed3bbbfe38,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fd85f02-fb6d-49cf-ba03-e0417fa5e713,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9c81a8b-b0c3-4e99-9953-de54fd3ca3fb,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,019940dd-bc22-4ec4-b9f0-eb6ad7bee095,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86fb3544-c946-42f3-b9e2-b0ab15901405,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11573e19-77bc-4347-b9bd-7334d5515b4e,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca5bcbfa-038c-4ebc-9464-0b71c72955da,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 944 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ebb76c4-3ae5-4535-9c22-eed02898e96d,"4/16/2021, 8:34:19.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6792 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,521c48b4-e5a5-4dca-bc6b-3995539ffc21,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a192b14-d203-4c5a-9661-e98af3b44001,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7e19917-f1c2-4099-b13f-b05654a38ad1,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1af454f-e7ec-4677-a07e-6578c331cfc7,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7540239c-f06a-449d-ac5d-23a0fb273f30,"4/16/2021, 8:34:19.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9de859e1-a893-4759-846c-d9deed4f0b31,"4/16/2021, 8:34:19.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,89fb6ee6-cd46-448b-839e-cd79e758e941,"4/16/2021, 8:34:19.414 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a1be48d-1dbf-445e-8b10-bbc8df016d44,"4/16/2021, 8:34:19.414 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,808c3f0d-9a50-4e56-b0f8-0255a43919f6,"4/16/2021, 8:34:19.414 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27a4f0e7-a8ea-4efc-a3b4-40d6136b2f3a,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d624a5d3-e974-465f-a4ce-2d623b460b87,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e06984-f124-4453-9d0d-5b3a267791e8,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19cc0a99-572d-431b-9435-c44710810180,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f85341b-0abf-49bd-afb5-059b83375853,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9a7b05-06f5-4e0c-a575-23f98ea42df3,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1acfaee-d111-4ba9-ad4b-651c98072974,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e9b853d-576e-484b-b692-be6bdac51604,"4/16/2021, 8:34:23.096 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e0ba70-cade-49f7-b441-11b6503d8923,"4/16/2021, 8:34:23.096 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01c5a68d-9477-438e-9753-7deab1996aeb,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fe9d0ef-4a84-414d-b84f-b2a6ff4dabc5,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7016 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba3eb1ba-fea3-4e4e-8d27-efd15978b4ab,"4/16/2021, 8:34:23.096 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aa3546e-1275-4924-a494-3cbf932c20ea,"4/16/2021, 8:34:23.096 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7ea18cc-4ad3-4151-abe4-90612535a40c,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e9c840-df04-4170-ad8c-bdb2acaa25a4,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a411c4ca-66f7-40ad-bc75-f2a8fe4eb2c2,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c57217-06a3-4aa3-83c8-54c7a176eb83,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b3f249c-ea48-455e-a09d-7c68748f6692,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8c367fc-ece7-4dff-83d4-889524db8f8f,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\VPS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15b3104d-3ae5-470d-a592-23b539bbc31b,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3418fd47-ace7-4b56-bb04-83b8bb756551,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8d4ef71-044a-4dd8-910d-d674c69ba5c9,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b664ce1-df36-4874-9ab0-7ce14965218e,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,087e0f87-e1a2-4bd8-bee7-9f36fdefacef,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01e4c012-5210-4499-b07e-2fac33fac88f,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a6e201-d8e4-41d0-92e7-1c5e1e2754fc,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a6bf8be-7561-42a5-a5f3-8b335a99e675,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df0d8f4c-2689-4d85-9d8e-5b0f7f345bc1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d2b6013-a890-4312-8efa-9ef0e341f9b1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5ba996e-2e6d-4e3f-9419-368493498d14,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a15f8dd2-c718-4bd6-bfd5-adb8aef4a283,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ffd94b-86bc-44e2-9bb5-2fba1cce492e,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f32d2d-afd5-4572-83bf-56c3838b4876,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a61b851a-03ad-484d-a65f-2071daa1480b,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80e633d2-5986-4ca0-aef8-906955517dc8,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2102c1f4-647f-4fae-a7d5-568d7ee29750,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,927ba957-9e22-41f1-88f8-50d8c6d160f8,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de41726b-b477-40be-9a2e-93710762eeed,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edca00b2-0d1e-4f1d-850a-c15b7e824d98,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7635797-9ed5-4b8f-95a9-ca458461701b,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca364e2b-5166-4d1f-af7c-c19dc36792cf,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35121325-cee5-499f-9987-136a17b6c2ce,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35da5380-a279-4077-bc82-00ae6fcc3838,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3352158-535e-4b5a-acb9-9276d60393a1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3f6198a-7b5f-4525-9f88-87abb08c3283,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a5e2408-35aa-48c9-b0a1-d88a1c326028,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b8bd06c-a042-48ae-b78a-cf6a1c5fddb7,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f15968f-7e68-4f27-b3cc-3404a8c71322,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3295f424-8676-4d14-bdc3-7cd105bf09f1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,165edc72-3afe-47f9-8a10-667886f1c267,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9ed4e7b-06aa-422b-8ea8-680ebdac78c3,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95edf425-ae0c-4751-b1d0-8ea6b6efcc2b,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ddef4fa7-298b-40c9-a4e6-f076d8da9c66,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1cbda332-b689-492c-a65a-ae646ce21867,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b6a89715-da59-40c2-aa5d-4a966e03f205,"4/16/2021, 8:34:24.046 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab82f341-a42a-4b83-bdad-b1d58191be5e,"4/16/2021, 8:34:29.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9588 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ba084de-96b8-4856-acc9-d3c347cac0aa,"4/16/2021, 8:34:29.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10324 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,74003854-31af-4b0a-85e2-864b722d95d9,"4/16/2021, 8:34:29.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,81417c5d-7ece-4591-9e25-55bea5df0fe5,"4/16/2021, 8:34:29.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d8c842fb-be88-42c6-a5c0-265344c145e9,"4/16/2021, 8:34:29.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4260 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,54365050-5786-4c2f-b60f-6204d62af24c,"4/16/2021, 8:34:29.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4446d6d3-a293-4750-9184-81ea340c282a,"4/16/2021, 8:34:29.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dd78dd12-01e9-4333-bd77-d32f10d454db,"4/16/2021, 8:34:29.569 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37d2327c-3bae-4556-9d68-af4d998600da,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,6a04c261-bb4e-44b0-be88-5a33e2ac2240,"4/16/2021, 8:34:38.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0472c75-9c06-4c49-9712-02ffb4540354,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41550227-f451-4131-a658-1eb1b915bf42,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82fdb8c4-92cb-4597-a2e9-7747c76e8c8d,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea42a36a-b31a-4d4a-9093-f3cdf01ad699,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,982c3231-a2e3-4404-99f1-f0f0e8403154,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a5915b2-f768-4036-adca-7d7669be30cb,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467a13af-6805-4f80-b8bf-ee8175a21210,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49d7ff41-12ae-4d7d-bda3-8206324ec835,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c124af1b-a883-4580-ad0e-ac2ec98cae90,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a93d5538-8e72-45d0-8662-87972f05d550,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1a4928c-bf8c-4533-9636-677e5dfa0085,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b5535d-3805-4dc4-a551-ba518549155b,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab1c5481-5cb6-4452-978b-7313dc1c5e6a,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f7335b6-efa7-468d-a434-55b19dfd1aa7,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f8c81e-951e-42d4-9bde-3c128484c178,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbb1d799-9ab3-4bbf-8d9b-0d444baea1fa,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45f7662e-fbae-4391-a949-e083120c02d8,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7d3513f-7f82-41c9-b9b0-5efe7a175ed0,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45de1b80-39f4-43a5-92d4-5ed8df655a91,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88de0aff-93d2-4321-84bd-5f9b963daec2,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa333e8-1729-4e03-a9fd-473211f12fd1,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3028742-754e-4af5-a740-91cc3855f7d4,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69cf8444-bf67-4b16-8560-493e6d5c344b,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6fc56e8-2bdd-4c3c-a690-b381d9ae87ee,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32ec8e9c-4935-4c68-a868-979e791945fc,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bd53054-c7f8-4511-930c-ce5a90c0ccdb,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a9baaf5-c860-4d39-bb40-5acfa956d2d0,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b748aef7-c6a6-444f-b213-b63c3838df8a,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d8ad24-379e-44f0-badc-e1c756398660,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9877769-db56-49b8-977e-23ccd36fa509,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae77c252-94d7-4028-ad93-2ae0c9b8a042,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57ae03aa-637d-4ca8-8d15-53647d073cd0,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,984de1ff-021a-4f6e-ac2d-2cbf39c00ec9,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6187d860-5a7c-46f0-a5a6-19eafc446d15,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7830d5e6-f4a3-4cd7-8183-662a9fdb05ab,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2951ab1a-9c43-405b-be71-c365101f41b1,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6398e6c4-af1f-42fa-b54c-5fef1fd53122,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ede168e3-12f8-4180-be65-a18697321a4a,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d53caddb-bd10-43df-922d-c2dc7fdb8f48,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7ffa40a-8e7a-406f-8e40-73542c1bf1c0,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58c686e-4874-49b2-8ab9-5d4a453c7d7f,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,888d454a-f7a5-47fd-8f62-452dd20e2aa2,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,231ef08c-3490-46d9-b64e-73115f0e61a4,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b46b22ca-c9ba-4cbe-8152-0267d7ee9880,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,008937cb-9dcc-4f16-9182-831ecf7db71a,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,309bf634-ac17-47ac-a49d-2851cdb660d1,"4/16/2021, 8:34:44.855 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca341884-22f2-4b59-9dc4-32bbb07372ad,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c784cd8-f117-4af4-8704-7c669099a1bc,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,977a8481-5ad4-4619-b9d7-c00f0efa9f31,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf2ecdf-04ba-4e05-bdf0-f5b95163eb79,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22982e4a-454f-47fd-8e50-ab4c5f704f5f,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbc38d62-835d-4373-8a50-33f1457acc33,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31b352f1-2e54-4204-b718-3a4efcc4fa7f,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0e966ad-0ea7-4375-bb6f-1a2890454593,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318812bd-d938-4408-89ae-67ff3e75aa7b,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea6aea98-a36f-49e1-b71b-3291c23d48a6,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a93e349-b56d-4ea6-9b52-651003f56330,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afa0f367-ec53-4945-85d9-417470c866dc,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6e2b9a9-723f-417a-ab82-01a9ab1a5da0,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3daacc-0e66-4429-aa41-cdcd9e785456,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a0ce898-c1c0-46b2-b7c0-85f3fc4f9cca,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7461c600-22aa-484c-bb9f-0e16c5a2e98e,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd03ddcb-7749-40e5-ad5f-2076dfbd5374,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5338a31e-eb14-4ddd-bfc9-adeed6351bc0,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4572e369-8b7e-40c2-b6ee-1291a88fe6ea,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42cafe60-0e83-4da6-8f70-02522db0d9d0,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe87d5a4-8b00-4060-bcad-0d222958ee58,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad36662e-3220-4445-985e-caac700dfd98,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6288 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5deb42e9-8b00-482b-b1bc-9f8afb8f0546,"4/16/2021, 8:34:52.742 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0613864c-b3a7-4777-8728-d127da1a0c5e,"4/16/2021, 8:34:52.742 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,384c2bf8-1dcd-4d0c-a763-a6ad13df4d38,"4/16/2021, 8:34:52.742 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4f605370-3ba7-4c5f-8435-32fe2e5d1685,"4/16/2021, 8:34:52.742 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8161e739-93fa-4316-a218-46169edd74e8,"4/16/2021, 8:34:52.742 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7e3fee28-5dfc-43e1-bcef-5334c251ab24,"4/16/2021, 8:34:52.742 AM",,,,,,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b1d190-32b9-4447-99ed-becc3f1973a1,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7033905c-0231-43a8-8203-c623ec4247d3,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c13942c-e4eb-41ce-8fc7-338588c50361,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83808ab8-1be9-45ea-b4c4-3c5509864dd4,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,214363c0-cd1a-4c72-954f-bb13d2963577,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2486b2cb-385e-4cab-8ed8-25d10ab0a5b9,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96885966-6678-4980-b37b-49c5b14f35da,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3160445c-2a0f-4d44-9794-0e15fa086ec9,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e8f6c8-7788-48af-b065-ae3d488fdb52,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,440bfa1f-c86d-4cb2-a52b-a2fdf13d1730,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c3f8584-b08a-4a85-a79f-e34564eea861,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be0f0de8-4855-4105-ba74-5204b6d52f5b,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44907f3f-fbae-4221-be07-d0ffde8b208b,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3498bb0-32cf-45e6-8512-1e1920874741,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd129843-1ea0-4323-9199-b4c22463a54b,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c228257-c847-4ae3-bc9e-c5a42fc42b15,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0d296b2-ea2b-4042-828d-f32e08d9c05d,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480e460b-bb09-4cfa-8c02-f7a6bc89e357,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1a56513-2508-4a21-997f-26f79d0eb6f8,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ZJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5004bbe6-e176-47e3-a616-c3916120d94e,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4605ed5e-cfe9-4a68-a416-f1162f3e81cf,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a858537-dd53-401b-a87f-7f975377fd89,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c699fc4-e16c-4677-a682-6c6372dd3e82,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7de61f08-c0e6-485a-97d5-a1b65ab6f084,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ececadb8-25f1-47e7-bee6-2a688eec51f2,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c84b745-dec6-41bd-8fc8-317c4443cec7,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dabe9c9-bd8c-4aca-98ed-535acdf57274,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2de52eb9-8e7f-46dc-bfb6-242d5d315304,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,095841e7-7954-49db-bc25-325c669e491a,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b36598d-c2c6-4418-9401-4df38b7d0be2,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,846a2946-cf47-496e-be86-06e36446399c,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7aa8127-fbe4-4625-bca1-5f4a104c3e98,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ac6a71-46e2-4dd6-a77d-b181cf1e28ac,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39bc507f-6c5f-43c0-8110-bcbcbf5e4431,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73dd8f0d-5729-4a71-9b96-7e78c7132471,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dda11e9-1dfb-4e46-87b6-2828b17d6de7,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20ba9777-26ed-4bd7-9240-8d55615df85b,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09a506d9-db62-4a58-be4b-f8dbdd7eb8c5,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4458bc9f-25c4-49b8-b653-66bd59a4a6a4,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06e4ea50-493a-4315-8259-b28c09ffd15f,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4f5cb96-7d84-4c47-9ef2-bdbacaab8ab1,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4f39da8-2659-4785-b518-f03da076dbf6,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b305912-1e1d-4cb5-b8d8-0361de642f68,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9afe41c2-5277-4827-b244-a1b599928724,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12956 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f62e55b2-b20d-4a1c-af23-ef35274d4744,"4/16/2021, 8:34:56.979 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13928 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5e74e0d8-df8c-4f97-8665-ab35348c4aaa,"4/16/2021, 8:34:56.979 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,af119ac2-7b20-4b75-a323-867f53de8e3d,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bafc3e46-892b-48b2-a476-2c3b1ea5fef8,"4/16/2021, 8:35:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,27d3adb8-9d07-45b0-97ff-2f30306125db,"4/16/2021, 8:35:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,8fa996b3-9c27-405a-b0cb-8f20247ae0b2,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,31b4ffd6-8a44-4849-8848-855ffc28d484,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9284f3aa-d267-42b7-8e9d-4204e49658c6,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,bbd34a21-ce95-4a65-8b4c-ad67254abb11,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,256dac0e-756f-4d4e-8fb0-dd49498e27f8,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a28ff9c9-a8d1-4de8-b336-8a93760a7469,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16d89d64-ce89-4e64-b71d-cfd8f682f71d,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78aaaae2-751b-45b7-b6f1-f14075399ea9,"4/16/2021, 8:35:03.050 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad095b4f-f8ae-4c0f-a26e-f449bbda0e84,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e61ff32-c032-4f71-bf02-d2283aa4b255,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f516d04b-7353-4c79-8f2f-e27b3b7bd22b,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3323b9ef-8e62-47e8-9f8f-7077c23c5d45,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b66fa658-874b-4a0a-a326-4bf2915f92fa,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f61d4488-54e7-465d-af4e-397e622bc8cd,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69120ab7-b1c6-49d1-b2e5-3bbc0d433ade,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ad6f881-330c-44a6-a52c-ed6c740399c5,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec8a9d6d-493a-429b-99c6-9ad9cd425e65,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d9d6d0-ef83-4061-8230-c433c9e8c0b5,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12b69487-eaec-48d3-9f1b-8f41763372f4,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d3474a6-51cc-4103-91ae-4ce7c3d99a52,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2852d37f-d263-4645-bf1b-9326c597bae6,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6e3229d-bbc4-4c52-b956-62a6778600d2,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fd6f8ee-96dc-491a-a4e7-f070b7119ed7,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64b0d22-a9b2-4c56-89f5-be95cf21e012,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b0cebc2-1d72-40e6-8013-b127f09879f3,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c0c0867-5b70-496b-ba8d-f1ebbfbf3896,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552ce773-d1f6-4931-9a20-edf00c4b5e55,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb8528cc-32df-46cf-99d0-77939af935ff,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35e24c90-ab23-49af-ad13-1923ebb6cf63,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df370d58-d321-4e48-ad2d-25abcb80cd6e,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a86fed51-ec67-4f3e-a09c-da9ea3104a8e,"4/16/2021, 8:35:05.572 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,905c7fb6-4240-4121-a4f3-bd5962a89d2e,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e88c831b-9b34-4800-b54e-4f4042d7915a,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b61a7d4-2974-4de5-89e9-858d16cb4c49,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e8475f0-9d60-4074-8323-84192b879f06,"4/16/2021, 8:35:05.572 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e67c689-fd8f-490a-901f-e81bed4837d0,"4/16/2021, 8:35:05.572 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6bf0da9-2ecd-446f-a466-00e04fa2de6b,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd5ca925-3de1-47e1-b368-1b23b2a3039c,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,154c0356-3fa3-4f65-b20f-c1f4371ff72c,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b3744b3-c2f1-49a2-97b2-a6a7552e097f,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26999255-939e-445d-8453-dfaefb7f9c11,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aea9b9a-4c3e-485b-912e-371e49abfe8c,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b165901e-dd8c-436d-be7a-f54b3f930b2a,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3e42190-0572-46ac-aebc-2df5a75ba4ba,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f8def6d-d745-402b-9d3c-056c4d80f956,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c59557cd-9861-441c-b610-e44ad099dfed,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a50a23df-2ff2-4b32-bb61-c992d48b2d43,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7f3db2b-500b-42da-b36b-512d134009d3,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b44df869-5be1-473b-83f1-9d4b898f3b97,"4/16/2021, 8:35:05.572 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6fd67da-a527-4772-a34f-44c9cb2ddd3b,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef2c47b0-5fee-463b-abd1-e14f6d4b8929,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe52b95d-7380-4882-b730-fb64b8cce635,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e126a790-4159-4e5a-8740-9abc8f2fae0f,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8b13d7b-5f7a-4c6d-ae75-8c09ddcc1ce7,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b318c5-303c-4d01-95f9-c6eb1d50c419,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e04dc041-3f40-4295-b953-c06c697e7db7,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4fbd8ae-459c-4313-8660-a168e725efe2,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb3dfa2-2a11-479c-ac3f-10e7ab5d6bea,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,561ab4a0-18ed-4489-bfde-39ce82293f50,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,373cf2c3-b8d4-41dd-a2e7-af3e3062ecfd,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a900a82-dfe1-46b4-92cf-d04a42a64802,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c443e46a-0b65-44da-ba72-347ba80f2660,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1733970f-4969-4d5b-86a0-5e4468b57a78,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f85b7d-c5ce-4846-8b9c-c7cab4a32806,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ead991e1-f5bd-4e74-bea8-4d3d38537669,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6881fa2-4b56-481b-a2af-847bf126ffba,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a358b7f3-f289-4c6f-973d-98012e758a36,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be64f6b8-fb95-43e9-92e3-93557bda0beb,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b17a836-3196-4aeb-9a39-be4b39d759fc,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c9e8334-e73a-4de8-bf93-68dff645e8be,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49dd5ecb-c095-4e04-ae7d-9bae1969ea22,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,263e78b7-aa12-4996-a7ce-c7a72a9a300a,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ce2eaf2-d11f-4aa7-b7f0-e4ed07ba0a30,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb5237a6-2d59-427e-b027-29c11042f405,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,598e5efe-543c-4255-b177-4ecc09267dd5,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdcf6582-14f3-451e-ab00-3bae708c3cc9,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5912 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,90c15c6a-9847-4429-a30e-cf9e8f0d6370,"4/16/2021, 8:35:06.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9732 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f3f0e2c4-6648-4f4e-ad43-26df6791bc9e,"4/16/2021, 8:35:06.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,22355821-36e9-44f6-904f-cb17b0d62f40,"4/16/2021, 8:35:06.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8d582a5-9a67-449f-8aeb-ac52f90f5ad0,"4/16/2021, 8:35:06.516 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,aee8cdcc-cb7f-424b-97dd-2c8fee81c65d,"4/16/2021, 8:35:06.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ef5b50b2-19b0-4aea-bdd8-e2fd13d66c58,"4/16/2021, 8:35:06.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10176 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c3ea8969-a74e-4e2b-834e-bc2640c84ca9,"4/16/2021, 8:35:06.516 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4f6d46f4-41d5-437e-94e0-2c7aecea0a21,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,968e7ab1-713e-4ec9-940a-17758c653160,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,17b682cb-635c-4f7c-b18b-30095f3fac50,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c9606e4-7833-4f0b-91dd-861002e75bef,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9be8f05-e883-4ea1-af4d-59a3666c9d50,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a8596e97-fbd4-4705-b9f9-ef287dc497ec,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03735e20-0d7e-4e52-b7a1-60359dd3926a,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e762c69a-3c5e-4deb-b573-e1edf1cc8e9f,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a41dcd8e-8858-4329-bd76-b2d254c7e083,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4693882b-8c97-414a-980a-c65d9333560e,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6fd1194e-c130-4248-af41-9b8b9260d930,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aaf82b4d-7fba-4610-8e34-f2b251b1f7ec,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,81647867-6ddc-41e6-b7c0-a9e84e50d455,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b91a5c67-0614-41cf-964c-ae87bf274b5a,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9ff1a836-4237-4e7c-ac57-3739bf68768e,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93f64868-57df-4f93-8846-4380649b10a7,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d5be527-b466-4b77-80b1-d10d1ff9392c,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d1f21b73-1d45-460a-bab0-9bc052a1b56b,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,898d6154-55d3-46a0-a122-72437c7b6718,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3705c974-37a1-4f9c-a94b-b0cf5b544fbb,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e651a64-c0eb-4eb4-9981-88971feac697,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2d1a0f4-1e4b-4f24-98cc-39b8d8919a96,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e324747c-880e-435a-8c2b-5f12a51d2608,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2bf7a798-c09f-4243-8669-4982027fcb4c,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6e89039f-0dcd-4ec2-96d0-f9eafeeccacc,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\VPS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cd01544b-d868-4b97-bdbc-19b68e08e46f,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ec18fd45-1882-4e7f-beb6-b5961a8dc244,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6972 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58731594-20eb-41ce-80d4-a92193493011,"4/16/2021, 8:35:07.419 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf698c1b-2aed-4a1d-b3f8-26f72a4a0d19,"4/16/2021, 8:35:07.419 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d2549a32-f579-455a-a698-538e6095ebdb,"4/16/2021, 8:35:07.419 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b7e341d2-b50f-4917-98df-8059cf62d72f,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6168 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0441fa67-6f84-4c43-9271-19ba08b681da,"4/16/2021, 8:35:07.419 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,69ed2665-3605-4c45-9a35-b7899e16b9c5,"4/16/2021, 8:35:09.848 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,667285b1-9a07-4c55-881c-95bf82a318fc,"4/16/2021, 8:35:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,370b60bf-8c5b-4155-b820-0dc81b8a8cf6,"4/16/2021, 8:35:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6600 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,39408071-0390-4b16-91c3-991fcff10313,"4/16/2021, 8:35:09.848 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d7e0a642-7bb2-4f7b-a585-a760d48b3ccc,"4/16/2021, 8:35:09.848 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f60e789-7323-4102-b5bc-e987527ce4f1,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a01bd1-3d07-4494-ba89-00626075860e,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b30bd228-7841-463b-9113-9e997b4ab74d,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13757fb4-c48b-4a31-ad3b-b717693590b7,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d570bfe-e091-4461-964e-df2891b42db0,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9360a3a2-4c16-4c5a-ae23-cae4540405b2,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56f5a7d-12b9-40d0-a005-a40e1516d2f8,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b95824cb-4cad-4fd6-b9b9-f46a3c0c98d8,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d6a499-783d-4b67-b475-26bedf53ef06,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,691d81c8-a96b-4fe1-b62f-17590c95325b,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5ffdd2-ef26-43a7-a991-b093ad88cecb,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc016b0d-c0c6-48ca-a811-be9defc8899d,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99b3809a-a32f-482a-be9a-0af05555efe6,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2136ac4-cfee-486d-9d31-0d2760758848,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c033427-6486-4bdb-b30a-b38d07338bc3,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfaf00f7-bffd-4845-a333-caa902536a4a,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\EJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b21e9332-2095-4d92-84db-619122922837,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6b4c3d8-7bbe-4f73-8631-3a3f88706be4,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06425996-3b9c-4101-a872-db9172ae29c1,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35aca0c9-6a1c-4674-9982-f265a38a939a,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd3bd6dd-7b7b-4288-9cd1-29d4a2a8bc88,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58276e42-293f-4dc3-881a-478b856987a1,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80e3bd8c-a757-42dc-889a-25ffbe01bf43,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddefc36f-8bf6-4950-b1dc-110f39bf09e4,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,488748ca-0fa8-4f26-8fc2-26ffe3837300,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f43d526e-8575-41fc-9d74-85fbcaac89ea,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fac4362-c834-4b87-ad6e-109001aa4a7b,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b623ca-365c-46e4-a2af-c3f9ca010b27,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f997e691-d432-4bf4-85f2-7954edd0435c,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b63b51b5-e877-44db-ba3e-79f31c1735da,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfd24a57-f2a5-468d-92ee-9f4920a2081a,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e3c9f1b-e67f-4747-b98c-9e27b91edab1,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd912373-cde4-40a1-9331-23fa10ceaebb,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d248ecd5-064a-454f-a9a5-683b277468da,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62338e23-37b0-4f35-b733-1f805d4b45d8,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f2d1331-8149-4189-b5a3-c54beed3c9f6,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c10d6fd4-9395-40df-bee4-07b2450d8a7f,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2a440bd-da46-40ef-92ad-88290b7e336e,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8457e2-263f-47eb-b9af-312e67d8603b,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ab9ae63-534a-483e-ac3d-53b53fd84a00,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,357fc8a8-bdf4-4fe9-93a4-20abfc3088aa,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\JJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3342e9e5-6802-46b2-b5b0-380671c1bda2,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ac6ad5f-f397-4bd5-bdf9-89e0c7f211fe,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,386e7ce2-6e25-4baf-b738-6dfbb2f7af8b,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a66c2de-3916-4185-9b63-acc5846b1e30,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e0fb69-cc79-468d-adc1-4637efed04a8,"4/16/2021, 8:35:20.145 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c7eaf57-9ee2-4ff0-91c8-acd89bf73101,"4/16/2021, 8:35:20.145 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8256 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,78e2a3e5-e4fa-436d-a383-a5195255e088,"4/16/2021, 8:35:20.145 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1780 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,50b7cf86-f4ce-4817-87d1-2df1ab5daa6a,"4/16/2021, 8:35:20.145 AM",,,,,,, +\TERZO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9885a86-67ad-40fb-9f2e-f4e9d0e269c9,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0de148f4-f8d1-4797-9a4b-a907eb713de6,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4c1526d-ad81-408e-b7da-40c1ca861572,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1592965-b22f-40cb-bbdc-a101079c8ebe,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21422e1f-f197-4505-9c86-4327e6050b74,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f95f81c-4b5d-48d2-aa9c-84c868ecb981,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adcdfd1a-5ee1-43d0-a428-b85cc9db3438,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32e01827-3f92-497f-9f05-ebf268727630,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82828ca4-c996-4f14-97ee-e239b6f3723e,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91a2f8fb-4f9e-44f7-bff7-b624f1cda059,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d191201-7df6-4b47-a951-83b1e14a59ff,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8dcf913c-d3b8-4d62-aca4-9505ef331327,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e1b2fe5-1715-415a-b425-dcc94cb5e658,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8173257f-84d2-4b69-87dd-2b21d12b9b06,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5cfecda-8cfe-4b8d-b2b6-c6daa31cf733,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa0c5770-9ff6-4351-a5d4-ab226995d24c,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f659cbd-6cab-4289-a9fb-a518800b0c83,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1566a595-25f7-434c-ae23-7b7d5e5d7cb7,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,113c58c1-b378-47b3-880e-73749d22c22e,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da815dfa-75d7-4c02-8ba6-40aec349bc33,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e14fed3e-3987-4b70-8468-2b9687022225,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34f59add-f45d-4f75-b47b-4e6303cae51c,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39615428-88ec-4280-92bb-22c092186413,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\MJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c7d9c5a-03fd-47f3-97b7-168a0f0c6aa8,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb6217c6-1660-4ff0-b51a-d2b58e10acbb,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,551dc504-87d2-434d-9205-c4eddf00ab18,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2c3f1e3-d782-42ee-99d7-2f946b427fa2,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539a369c-f633-4e45-9566-3323e2dd1e20,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,100434c6-898e-4666-b786-fcbe7e65f436,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eff9dfa1-f8d0-4cba-89eb-6437d9f97ab6,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdce568d-41c7-48be-ab70-b55c59d97a12,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3e62e0-3382-471a-960e-0a73a07b78e9,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b0bd357-5466-4c10-b986-1948bf0186a1,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba01fa1-7b5b-4f3d-9ae2-fd43c25a5aeb,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9b43e9c-84a8-4d65-966c-64fe7e150836,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9bcef1f-f67e-4113-96a2-a9dff696798a,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84dbb74a-279b-4695-93c2-93be12135672,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28b4aa3-b421-48e3-839f-29e47a2ec68e,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a6125f7-f993-40ef-ad70-19927039a1f7,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14db039-7616-4674-a991-f2e9d2cd19cc,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d3d44b0-3367-443a-8efc-146e9d86d8b2,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ae8e938-a127-44c8-9aae-45880f184f13,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac4e2f2f-af9c-4624-83b4-3f9c069054be,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58184325-42ba-4161-a6db-bff1b0e6c7d9,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82e1526-58a4-4f3e-937f-e470eb2c37f3,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,547ce4bb-4187-4d12-9e86-b2fe655019bb,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7928 + 18 + %SYSTEM32%\CMD.EXE + 32 + EADCC06FA49193965AC87F20A2EAC9D9482A669A4C0AC722CE411E28B1F2EAC7 + 113 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cabe8743-fb79-4c2a-b91c-822e8ffe43b6,"4/16/2021, 8:35:28.322 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10812 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,652e204a-3fe3-4acc-97f5-8c0e58690423,"4/16/2021, 8:35:28.322 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13264 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,52545f1c-2a76-4437-a00a-98698a9c0d87,"4/16/2021, 8:35:28.322 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10544 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cd5d8af4-d3e9-4088-a3d2-c4bcf09c645c,"4/16/2021, 8:35:28.322 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6cdf748-9d06-4528-922e-f83b587af44b,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d20ab8d9-1e68-48fe-8043-bb969b522c75,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceb9d4a3-2a37-438e-91df-7ea098bf6418,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed9a61b7-8c2e-41de-8dcc-328edeb8bd73,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84eb0121-8888-43bf-a572-fed51e9fa98a,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,799f57d1-1d32-4c51-af18-3158a89853b7,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c73cee4a-6e9f-46a1-a381-57c5d6e0374e,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,040fb2bc-afe5-45df-8700-12306b3cd468,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed4bef8-d8a4-44d4-92c2-cae820a022a8,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53f7c8ac-b8ba-4cc3-a69a-e24f47f87714,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,114f46a4-7505-4a48-808b-d4cdede3eeab,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c9f2dfc-5df4-4ec6-8681-aaed06d2b4a3,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8015f464-7dc4-4257-95e0-62684be3964f,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bd32d9a-bd5e-4c65-b62a-85052c9d0107,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,f28e341e-a17d-4914-bdfe-0068b91895ba,"4/16/2021, 8:35:33.096 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2f6f379-2d31-47e4-858d-adb7bd02add8,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe383a07-94f5-4632-a429-7ce10478a132,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a7d41a1-91c8-44fb-802b-54cbb7be77d2,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d05bf69a-d20b-46b6-bd9a-a999eb5761d0,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90747438-72c7-47ce-bb05-e14fa35f10a1,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22f160d1-0186-4671-8918-b3a93d3c6a48,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54dc49b0-a811-4dd6-9282-fabdc1e39311,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0cfad651-d2fa-4358-ac35-0cb86ab13245,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,080c7c40-e853-4b6b-90f9-28e8cf952cd8,"4/16/2021, 8:35:34.866 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24140cd3 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e0d0a6c1-4252-4e9a-8180-09847b945d00,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1d254f0d-dd08-4ef0-a7bc-14985e9bba36,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4a465e3c-621c-43be-8fac-f40e149f6f15,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e12d5b04-f904-48ae-b2f0-2e9e1708b4e4,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x241413ad + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9b15bbb1-de2b-47ac-8728-ff8f20565c94,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ab969098-84d2-484a-8ab6-4ea38eda3ae1,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x24141413 + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,59fd982a-3162-4eea-9482-0e28c5fac714,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,477e3081-60b7-4946-a398-0c909e0da9b7,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x24141429 + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6fb2d02e-fe0d-45b0-a711-288eba80dbe3,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,adb91a11-de3d-41a7-b5f3-b4a873326451,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x2414143e + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,01a14618-4907-461c-b654-83cf778998d7,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1fceec9c-af0c-4e41-ad1a-1076f06ecd35,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ca3b7874-a0ec-46aa-b032-d9af8c58ee4c,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,43e43c0e-34d8-4e7f-90ce-c158b7791405,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO + 0x241413ad + 0x0 + - +",4799,4799 - A security-enabled local group membership was enumerated,5503048d-aae9-48b7-bda5-46b931ec9ed1,ba56fefd-aa5c-49f2-9447-38021900497d,"4/16/2021, 8:35:34.866 AM",,,,,,0x0, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,13de5507-6c90-49c7-b0e5-85f4a1ed7358,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ad08297d-64ee-4b5d-b6d1-0d6954011989,"4/16/2021, 8:35:34.866 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,199d00cb-8f1e-4f05-8405-32ab94bdd979,"4/16/2021, 8:35:34.866 AM","%%5649 ",0x2,-,-,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f451130-2a34-43b9-85af-b06ec373fb27,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9f1e633-8bcf-4c62-ae93-71700115519b,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e787eab6-332e-431a-a674-dd0c59c26c17,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a38f539-4482-408a-bd81-1de8091b91c9,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72553e68-64fe-4f24-a422-b196571f44b0,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,446f488d-b485-4d1a-9bbe-d1272111fe7e,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efb1fc39-1a88-414a-b826-d789e1dd15f7,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61a1cc1f-3a33-4e54-aacd-f147075ef5ee,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a01ce6c-1db4-4a41-a06f-68bd40de347f,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d6b956e-423e-4b6b-be88-fb6a22dc46fb,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bee8a8dd-6a04-4c54-a3f5-35819aca3dc9,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9487dbfc-0b58-4fb9-ad96-b8fb48e62ae4,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4da1059-7557-4d3f-8e2c-ad56f9b91abc,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd544087-6ffc-4dd9-8e1f-3b8d08a49e83,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd394b15-f8e3-4dbe-896e-d32ef75206d1,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c31493c-2b2f-44b1-b159-8c13ef58fc77,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6404bba-f047-4f5c-94d0-01cd4e6e5d56,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db40bcbf-c9a5-4419-ba5d-eb5f29aa7051,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78cc0efb-866b-4cf7-8ede-ebc22eb2fece,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83a995ed-888f-4ad5-8b3c-4db20f3f27d1,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff5b2133-059e-4889-8cc5-7596401df73f,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7ca560a-a9b6-48b1-a3af-8092d61c36d8,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fd7d39c-7dd7-4c5a-86dc-65b1816c3065,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c5734312-8233-499b-a3ed-aa1e021a72f2,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86bb45fd-dcbb-4483-8c98-87587610b1ff,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8b914252-1341-487a-bb80-450557a677ce,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53e859dd-64dd-40be-8aa2-92cb9ad6b80a,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2f2f7a5f-185d-4a8f-a560-4eee1202b53d,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa6c45a1-2e4e-46dc-a2e2-cde3ec3f576a,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5356f8a9-18cb-4ffe-9341-146e4263908f,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae5a307c-f86a-4ca4-bd2f-4f86ab0ae2cb,"4/16/2021, 8:35:36.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9b79db7-9f34-4a9d-94a8-eccd1c332dc9,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593ca018-3fa8-43f7-aa4a-2ec0f1a55917,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aadcb7fe-61a6-41d7-a64f-ec499994dd8e,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,613a4806-3390-4d19-b1a5-0b887fd4e028,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b5f0b4-074f-4e3b-ae68-038667853e07,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11ee2802-b900-4356-a564-4c8c5d3189d7,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecb92553-be69-4d12-85ec-15f978509a37,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87c1cbd-7f70-4015-ae2b-3cbeae606561,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,341347d2-5d1d-49df-9bb1-7f57c811584d,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,237d1429-45a5-423f-8c1a-f4918941df1e,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9745ed7d-4d43-4429-8141-a5d09f900478,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9915b90f-abf9-4dc0-9598-2984d2e6fe82,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45d2521b-050c-430e-80d1-6e3d3f826681,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef75557-9521-4971-a54c-352b91615870,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3890e58f-8f92-4d04-b762-cda95c4953a7,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6a37472-79e8-4a2b-8a6d-c7ddfe89313b,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a31dd5d-8dd1-4283-9590-78b12d49a89d,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bb4e4f1-b676-4bfc-90d8-0e524313ae8e,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f997921-0aa3-4c49-bae6-40739f53b3dc,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,530ba350-1bc2-49b8-a62a-e2d4a3e39149,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db7ef38-a5f5-4014-a111-f3feac36edc3,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f230f83-cd78-448c-9428-345c47ecf0b8,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5150047f-9e13-4033-9434-dd513fd37449,"4/16/2021, 8:35:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,00a56a67-4789-4d39-8ed7-a2f89f9111e6,"4/16/2021, 8:35:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7520 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,85eb204c-bcc1-49c7-aafc-ec6f88c69aa2,"4/16/2021, 8:35:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4868 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46ad2e76-736a-4f74-8ccc-bbfe6edd1fe1,"4/16/2021, 8:35:41.411 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4019754b-8eee-4183-b594-7cf3a60387fb,"4/16/2021, 8:35:41.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b3f0b1a2-7b4c-44f9-a2ba-c01b699e05f3,"4/16/2021, 8:35:41.411 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b301d4e7-6ad0-4cca-a0b8-29304222e055,"4/16/2021, 8:35:41.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9004 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6706750a-60a1-4cf1-8f1e-f3198493cb75,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12168 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,74aa722e-28cd-44dc-a818-7e956c42d397,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,21b42d0a-d958-4438-85bb-bbe06e36fe99,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 11804 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D783370D0C3716126E1F2130E165DBCF9EA52A431FB5BF0AB5E3D9D3D479AC08 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.01 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3b18a931-5b7e-495f-b903-7f7a94ffa3f3,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a3c3c825-dbf5-45fa-95b6-d1efe1bbc425,"4/16/2021, 8:35:47.988 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e1248a1-07a3-4431-877d-f7d2afe6bc5d,"4/16/2021, 8:35:47.096 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c74b7e3d-ee41-4950-a65a-904243fedd9c,"4/16/2021, 8:35:47.096 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37f9d3fc-5e0f-4259-b49c-6d52ba1b03bf,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17655ff2-339e-40df-8262-531a1e63cb3a,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,668d854b-468c-43e6-9fb2-22f4ef6b290d,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a9339e8-4fc4-41cf-b22c-1827e1e78be5,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,509f58d7-0fc9-4a52-82a6-256737540202,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bb2262a-9832-4f3c-af88-6f134f5d4f3b,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8712 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1008_2021-02-10_045418\COLLECTGUESTLOGS.EXE + 32 + 9CBE23B245E1ED128DF262318D623E57C98A79AFDD407B13BD8A2C82CA79796E + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6678550b-1492-4306-946d-4204d8d411c6,"4/16/2021, 8:35:47.096 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e666fdb3-30dc-40d1-a571-d30e1dde4bda,"4/16/2021, 8:35:47.096 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f897f17-814c-470b-98e1-fc45beffbbc2,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1195efe1-0094-4e71-8225-b8189033396f,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69734ed7-deb6-4083-a1f6-7f5c20ee1549,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9daac5-dedb-45c9-88cc-570958998fd5,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b3589c-06af-4fd9-9119-e3ef99c6d94c,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3857cdb8-b4d0-443d-ada1-c50c85e349a4,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b33aad8-47dc-46f8-89c0-1012d56979a7,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6805eaf8-67ec-4e0c-aa27-cd66c20cb3ea,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,807a0eb7-ff29-4ad7-9280-8d9516c5298f,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,259a96a9-e33b-4fec-bee1-1090304ab01f,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7209a166-b426-469b-b281-8783fd10e517,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e28542-359e-47c5-9ad4-a9747e58db8b,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cff9714-b977-49ca-beac-ec0d128094d7,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c7ba0fd-5450-4d7c-ab2b-4d25b361eaf2,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8f05ae89-d482-40be-a9ea-2e5c8666f47b,"4/16/2021, 8:35:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4276 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,609caab1-0669-40c5-8051-b2531938cc15,"4/16/2021, 8:35:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9c4eecb9-4eaa-4b5b-9519-072c9d9923b1,"4/16/2021, 8:35:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ef886813-174e-4ab2-acd7-9b08e60a4b2f,"4/16/2021, 8:35:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b61bc2d6-5af7-4f8a-9efe-144e9057b194,"4/16/2021, 8:35:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8e166322-abcd-4302-9cc3-5f548f2c83e8,"4/16/2021, 8:35:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11140 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,701b8c6d-d4c8-43ae-a9f0-d2591ecbae1d,"4/16/2021, 8:35:51.523 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8168 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b37ca567-f8fe-4b4c-a98d-ae89760e7232,"4/16/2021, 8:35:51.523 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ff2cc21-a14a-44c1-8b90-1147df51ce21,"4/16/2021, 8:35:51.523 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e295c5a4-a9fe-4b31-af0d-63a4fc1a3158,"4/16/2021, 8:35:51.523 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac096c8c-05d7-4e56-b91b-ee1bc7ff988b,"4/16/2021, 8:35:51.523 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5932 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bf424b0f-78f2-41b4-a93b-28f004d90b95,"4/16/2021, 8:35:51.523 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,135b75a4-ea8b-46ad-b797-d1d8f86807b4,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9503fb75-c019-4ff1-b96b-f3ded4d1645d,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e10ae37-88c8-452c-aeab-dee27587271e,"4/16/2021, 8:35:53.109 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,029e1c07-6ca5-4a23-be5e-e3a42d9e7454,"4/16/2021, 8:35:53.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bdc0958-c803-4b37-a30d-8caff1fa5365,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6421555e-f9a7-477a-b582-576a1cb1a76e,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b92d914-1401-4fce-9612-ba6a5a88af21,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2824 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c18cba3-fa5a-4d8d-85c9-45d2a13d511f,"4/16/2021, 8:35:53.109 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b74ff53c-972e-4c41-8afb-6b473645d3a4,"4/16/2021, 8:35:53.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d16548f1-af30-4238-8536-b0e524754b90,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATÖR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea45d8ac-8697-4b11-b2ab-288c998122e6,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4dae615-78ae-444e-8d7f-b01c3c125754,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1b1be4e-fc29-47cf-9ab4-7a10f54e6139,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2011092-bd74-43a9-8714-03163d2eb2d8,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8c27c74-f10b-4c80-b388-b38a9a4522e9,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d960b0-28e7-40d5-86b5-20f205316e6e,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c54a4d14-3ffe-483b-b3ed-5a8da4074614,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,772142af-a6d1-4e45-a8f7-83041312349c,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46367d4c-a4d2-4036-8216-0c782d1c72a5,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86ff138e-0322-412b-a0db-48bdc904166b,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1651f12b-f992-4c1a-802b-6fb9fb058ef9,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bda3cefc-b987-43c0-abe2-7b735393aca0,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c318be1-9da8-4631-8838-ada42a0bb180,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2239be9-d5f6-418d-a087-6e71dc09b804,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9be3c6c-7bcb-4b85-bc76-32195ac9b10d,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b788dd97-8d85-44b1-b91b-dba30b95fd40,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c349d8c-f7ae-4747-bed7-67f35459d010,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d395dbad-38c9-4d60-940c-c6fe706b04d4,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08916239-3a95-4b42-a531-574abd4da507,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,142f2e96-8209-44f7-9808-8d228709bc1f,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,535264fc-effc-4332-a269-3ffdcbdeb5dd,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a15c3c62-2d8d-4ad7-91f8-f51b97b7cdfa,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a5f4bda-b7af-49e5-ac8f-d66fe3e72abc,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52ac5cf1-cf56-4fb4-bcfc-63a7e43cdbac,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae077d28-2cd1-45bc-b9fd-0e199ce480b0,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0417f6-93ef-4398-a42b-540c5ccb7df8,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3c40ec7-b11e-4298-9b2c-cc78d12f4d0b,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d6ba844-b8d5-4362-897c-91e64dddbf5f,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a13367aa-31a4-477b-9e52-5cc27509fa46,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccafadec-e055-4c5f-8166-a1fcf4318439,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8833fc3-5055-4d0d-bf8a-c4bbc70044ff,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,553e94fa-01b3-48a5-a1ea-73e292bb5e77,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51b2aabe-b0e6-44e2-8178-e6901e135243,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c32620cf-e700-4f48-be94-775bf4d56c03,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83fd3c17-a8e1-4752-a4a2-e11d3ba081b6,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee064df2-622a-4912-91f9-28519c505e54,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea138ce-a935-49d0-8a98-1b47f8a319f5,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,287dd448-7f82-4a92-b45a-1e2ffb83306d,"4/16/2021, 8:35:53.576 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a5ad566-2c6d-4579-9a41-35b3673af94b,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a53e52c-6477-4596-9dc2-4d8ce5d5412f,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e3e894-f8f0-4e6c-800d-b93617367b1e,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b473bb0-9dd1-4beb-a15c-d324b4f2b506,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ef8ffb2-1f3f-4a95-ba43-ef53d7f26daa,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f03b6d1-346b-459b-a5fd-3477f265b49a,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a37adeb8-33a2-4f27-89c9-159974a78f3f,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9962e2ab-7f2c-4f1a-993a-c37ec800beba,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,245f7f31-5be9-467d-b90c-524a4dd403bd,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\CRESBARD,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da407bb7-70cf-4e7b-9606-5b96a5b4d936,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8077b405-5ebe-4d5f-ab6f-154e9a5c4c76,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9bb3f3a-5d11-44c3-94ff-4bfe6e99ec1d,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa767863-713b-4b26-af7b-5455b9f59ebc,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfde4d7-72a8-4a2e-982f-c2173723ac11,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59f9aa37-41d1-4a31-bef1-14a6c22f2579,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fdddd8a-326b-49d0-8c1f-080ad5aa0c77,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c165b237-d44b-48b6-871f-132448e4bfb3,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a9388e1-8462-4ebf-a58a-1816ea87badc,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fea7cbc1-e8c7-449b-918b-9082ff1a2be8,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77c9db69-dcb1-4d81-9994-a30c2a49ba0c,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e63f0068-17e6-4b7b-90b7-901b770339f7,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f256f897-ebcb-4d7d-a203-1bc476d8ce04,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,378eaffe-1707-443d-9bb8-ca9a87645aa7,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94f49edf-5415-4e3c-863d-e43f85596c28,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b672c38c-657c-4951-b6b6-6498e0264d7e,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7800333-6f18-4089-b356-a7e8255b35bc,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,411b6a20-08e7-427d-8354-cb26a3db9925,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68e92c1b-2c78-4809-a9ad-56bd360e93aa,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f41bc4-36a2-41f3-a04b-c2d05fa3e0c0,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd848d24-d88e-4a91-9bb4-e811bcf9f1d5,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d69019a-a119-497c-98cf-36c275ca2165,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,463f68b5-015d-4ce3-a83f-ba9125d95123,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5ffbac9-cd52-4c72-ae3b-677eab89407e,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc620f05-22a7-49e0-9e65-d1bfbbaafdba,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dde3c4aa-fec3-4942-86cc-f1936bef4b5b,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76a27f4f-748f-4c60-8cb9-35347c609619,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3c5fc77-050a-4d98-afd6-092524892ce3,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5f0677d-76f9-4236-8acf-6503a8e78d07,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b74505e8-c488-4e84-a49b-668647dc2227,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,268314fb-d952-4588-8017-33d3941431f9,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe4304b2-9224-4d6b-8ff9-7e6fc51c572f,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,640213a3-0268-45d9-8cde-f21154514275,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f5f2976-f77c-46cd-9d1c-077e10192394,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be604139-3c8a-485f-8d1a-ecffcfb3f1e3,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,545bf92d-345d-4ae4-a5ea-ad6b90c3e111,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63a1d757-ea0b-4934-9407-e5296de626f8,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8507a31f-5702-46cc-b9e2-685148b3d665,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e64994-d639-4d25-9f19-3723cf8aa73d,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,635a35ae-dc0e-4e27-9cdb-2a00c40aa669,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9cf5ee5-b215-44e8-b115-bac73ae4f767,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6116cab0-f55b-477f-9c29-842a3a9794e2,"4/16/2021, 8:36:09.859 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,59c01f20-8461-4609-a495-5c4e540573ad,"4/16/2021, 8:36:09.859 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3232 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,35c8639c-47b7-4661-87fe-d1cf57907fe2,"4/16/2021, 8:36:09.859 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6364 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fbec0b0b-1bef-430e-9749-378b040e8936,"4/16/2021, 8:36:09.859 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0239a63e-0db5-48ac-b319-0fa4987a4fa6,"4/16/2021, 8:36:09.859 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,206d517a-4fcc-4833-a863-05201da9b7e0,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,184a4ede-2770-4b6a-895c-548c16bfe61b,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0519f006-226a-4170-8101-522ec95a8c8c,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6547a612-96d6-403d-8458-40a78df5d6a7,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73522d29-ef00-4d35-88fa-775e4ba561a3,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efff9f6-3272-4769-821a-c7f7f071ff0e,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43fe28c4-b6a1-4f90-868f-5130d2e7a132,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fab594f1-e0e8-478f-abfa-f2e57bb1cfc6,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3abf308-bb02-448a-997d-4343f4031a0c,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04bce355-b76d-4678-8b09-665ab07be822,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e98c029a-5070-4cf0-a149-c97be4962fe8,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d13c42a-f36d-4bfb-8b01-4ab75633c365,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8992d5-033d-45df-9196-7f6ab120d43d,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,821c86d5-f1c5-433a-a759-47205226f017,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1e4066d-64b3-4cad-aeda-5976b8bf591f,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2306a821-1874-495c-b9bc-9bf5ac6139d5,"4/16/2021, 8:34:04.098 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d8b4c3f-0e5b-4b73-accf-c560f7f7f801,"4/16/2021, 8:34:04.098 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7458826-4de7-4561-866f-dff2b7f2661e,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de451dec-ba45-44af-b3d3-398b83486d1e,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a888ee-f1aa-4f62-aec6-7a97019b9461,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a846e90-9ba9-4adb-826a-56c28c41514d,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87f4343a-2946-4c51-8d6e-3019117f1317,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,beee885d-28bf-40d0-80f8-be05069ea8b2,"4/16/2021, 8:34:04.098 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1512ad-96b4-41ad-b8c8-358d945ce61a,"4/16/2021, 8:34:04.098 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,48584d74-f2e2-4e2d-92fb-d51ed2755aff,"4/16/2021, 8:36:08.223 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,03beb00d-8069-4165-9fde-152f2d2a9d5c,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,43f4f1c7-6d2d-4b01-a15e-744b1eaa9780,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0d87f36d-cc6b-4536-9cee-8252593d1ee9,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,416e632e-8b72-4094-86ea-60369e34fa43,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,656655dc-d141-4202-b934-9e292cbf1fe0,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,864beeee-27d6-4bc5-8dfb-fec8c87d79dd,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,942fe97c-be59-4b71-b00b-7da1699a15db,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0300a67f-2712-46e5-9979-7b3806560bd7,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6c125d4d-82cb-4544-864d-773c16d0e199,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c1cafd37-2c40-4a02-8b7e-f0aa3a92991b,"4/16/2021, 8:36:08.223 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69fe1b35-9a65-48ac-a531-d268783ab77c,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7c6c4c5-31c9-4168-8e7d-c4379eeeaad4,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7c0de4d-dd7b-4434-8635-dabd5b8e16c6,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb9e2533-10c6-4a45-9ce4-c6fec0820d2b,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27301b49-71d6-46c4-9054-6fc5968edb0e,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0798616b-b53b-41e1-a2f1-234fc8dfaff5,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94e665ac-970a-4ded-97d1-41af2bdae4b3,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32840b9f-f0a4-42f2-a7c3-f15e9fbfcfd2,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cf4e664-03b8-4349-b67a-ca7d0a6ef986,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce2f27f0-111f-4758-ad8a-71476acda37e,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0781797-fc34-40d5-ae4a-e046fc70a436,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467f3259-1b8d-4edc-abb9-729495790e5f,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a58fa4cc-6a95-4b18-8fe5-c968ae5f251f,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eab56e62-daa1-47bd-a08d-ceb10fc3c66c,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e8bba17-afd1-4385-9d2a-c971abc2d2b4,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bcdee19-0397-4c90-8d1d-e7d1b9b40709,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb1c1a0-5f34-41bf-890d-329c4da97414,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa5868df-6137-46a2-8250-abf86a92a043,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32887f7-22a2-460a-96ef-ed08a10a460c,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85991afb-0810-4a03-a5e3-b04718115124,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,353113c7-19ee-404d-980c-eede07cc2f01,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf8d26b6-b907-40b1-9c2e-6a3dc9568a89,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76ec2ec3-421b-41ba-8754-3d19a6307162,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1a39c28-9657-4155-a3d0-a8d0e66bc2bb,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1d8a9c2-ba13-4e3f-a80b-af6f00c08450,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b8c5ae-11c8-49f9-bafb-7f888d072af0,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdedb27a-363a-487a-8fb2-cfc8c3844841,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae2a928e-0fbc-426d-87b0-4c81e637b3e1,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b95dfad-5706-4c41-a88a-d34493180294,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc2479af-c275-4a98-bcde-4e3599819335,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f85e31-67e5-4582-9a70-86490d110a65,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3199a2d1-3650-43a0-b817-e50a0080e757,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54d79d13-cb2c-47dc-8289-02ba1cc66f0b,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9515fa1c-1817-4b7a-861c-05ac06873af8,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a7564c9-1cd8-4b80-ab70-dafc992cc238,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b2545d9-5188-49c7-b031-f524cd3fff60,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,611aa449-b883-40b0-84be-684069cd77c1,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0cd6f68-a293-45f0-b017-f5d722ada322,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb1e4afc-0f3c-42d7-af7e-29018a1511c1,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,923faa66-aa6f-4b18-8ec2-f3c07ceef156,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75659247-0b7e-47f7-abfa-b44fcbe8e260,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a5bd75b-44f2-4055-9d76-d0c8efd45da2,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12a8752-6c3e-4e8d-9b0a-522f0d885132,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e55986aa-095c-4f6a-8941-4a191c008dbf,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25bc56b7-a40f-48b3-9b58-071c9b786225,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e89258f-9ddf-41ab-ad4c-4748e4131cff,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\COMERCIAL2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5558ce5-56fa-4133-8bfe-20ab760885e7,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5367a421-764d-4c1c-a393-54a45c2f40f4,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82870902-3fb4-48f5-9913-2c672f2d90b2,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdc192fc-1c5a-4536-8c7b-0960b03cf0e8,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37df4ae2-1a6f-401b-9620-e7e229cd6031,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33c4ff50-34a3-46a6-b109-ff66ec6b92b7,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11a9a84c-d7a9-45bb-aaee-9c01524acd27,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae14940d-1860-4c77-9b0d-4ae2c8aa0b6f,"4/16/2021, 8:37:03.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10908 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,84ab6b17-7381-48d0-bc08-87f85e4ed5e8,"4/16/2021, 8:37:03.597 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,a14ab693-5d0a-4086-8b35-c106d8a1b355,"4/16/2021, 8:37:03.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,91508fac-30ff-4b31-808c-5d492fa90f93,"4/16/2021, 8:37:03.597 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6d059c65-7fdb-40bf-a8b2-6bb9a1b24cd6,"4/16/2021, 8:37:42.854 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4320 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,42fde374-8ee0-4d03-b593-ae6dda4670f3,"4/16/2021, 8:37:42.854 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1162d75b-b128-4f2a-bcb2-a022e28b1160,"4/16/2021, 8:37:42.854 AM",,,,,,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcf0368e-82b2-447e-8d25-929acc90d4f7,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54ab8903-9fb6-4a5e-8e07-eeb1f29e6205,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ffe6ead-3c1a-4bad-bd16-b4fb384ca1a0,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9e66ada-2c00-40d6-9771-39332b32c698,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d74fd08e-fa6f-4f73-a44c-a99ea397ce6d,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,823d959d-f6ff-42d8-99bb-1c96e67fe553,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38f57a00-359c-4ff7-aafe-d4db70f1cb28,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e66480d-33df-4a0e-8a8b-be16e9e48527,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6b36287-afd0-4070-b6c7-43c5fc081518,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa8513b8-503c-4de0-9c8f-6bad0af2234f,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca38ed40-9386-4f45-8780-c63305adc807,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7941358-0ab3-4720-9074-344ed25bb06d,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dca910cb-5b5b-4162-ad67-6103391df3e2,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,629d8a28-48d8-4f35-a4bb-593b71adc80c,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1617dfc6-9dbb-4ea9-a72d-c8a040dbfb95,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,103a64b6-14dc-4965-8996-63fc060906f2,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8a1c788-cd2b-4dbc-8d10-a7f74f62c4af,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a142c05f-62e3-4ac4-bb94-b581afb33d80,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7861cd15-a58b-4c1d-aa4b-24d8f16efd4c,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\PC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa6da255-ba06-4e6c-ace0-6084aff92a4d,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dacffd3-dc70-4135-9cf5-0d098e839a2b,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f58cd5a-ca3d-428e-a6a7-b0c9c64ea524,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a4bfb66-af3f-4781-80e9-e62a3ac562c0,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec072d72-47a4-4653-aac9-c8ecc8bf5139,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15056 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,23378213-fc3c-4eff-afd7-bd036b32e6ed,"4/16/2021, 8:39:56.983 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2d87c3df-e0b7-4025-9f23-3f741ef9c3ad,"4/16/2021, 8:39:56.983 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,462ad33e-968e-43d4-85a8-eeb90d235040,"4/16/2021, 8:36:16.410 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8089ce41-e5ee-4c7e-8582-0f155272840d,"4/16/2021, 8:36:16.410 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c5b550b-bcbe-410b-9d81-20cafe42785c,"4/16/2021, 8:36:16.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f53122d-d33d-42bb-b046-609ec2fd7c80,"4/16/2021, 8:36:16.410 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8006d6bd-ec6d-47dc-af45-1a115ccd9f3d,"4/16/2021, 8:36:16.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,faf0bcfc-ee29-412a-b1f5-55e6100899be,"4/16/2021, 8:36:16.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7900 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8d3251c9-e6d5-4f30-a3cf-e493b04f1ff5,"4/16/2021, 8:36:16.410 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e593b29-7b36-48b9-956c-cf682aae7509,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e943fbc-b5eb-4902-89a0-8d4538ce7923,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,449fe1b9-eab1-46cc-91b0-60ae9a8d8f9a,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,017f7a4c-793d-41d8-8fd5-29c262c32467,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f78608a4-d463-446f-a13d-ea633f0dc102,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30877498-7fb1-471d-acc7-3643a2fe6ca4,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ac3e715-26ce-44d7-9182-89f48fc4c841,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7308c62a-2acf-4c12-ae78-46d7027c0ec1,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df38f192-3f26-485d-bc79-5c85d44bb06a,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3dc30bb-3a6e-418e-b3f5-52eec3a558b1,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c8f1e3b-88c6-480c-b9f9-24312a48b4fb,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,292b4e52-4c1c-424e-a4f9-ea5dcfc87af0,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce789473-27a3-4c5f-91b3-e346bfd0a4ed,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0a75ee6-4ac3-4774-8ea8-c05cc4752683,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffe72f7b-f720-4b21-8f5b-c378258ae62a,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3fbe375-9841-416e-a9ac-abd3451ae2b4,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c82f1da0-2160-4f95-87ec-19735392c7d0,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b074231-639d-4f00-a86c-041003938154,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,001c85c5-b262-42c5-835c-0b3f2fdcec2e,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e11afd5-225c-4359-9877-c717d1a0c0a3,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e09e75fb-d1e4-4260-8dbf-c1a98f699081,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b49cd4a1-48a3-4e42-93ba-6102fbf54f14,"4/16/2021, 8:36:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bbc1b00-f7f5-420c-ad07-298c3720352d,"4/16/2021, 8:36:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4d453ed-0264-4bcd-b38f-43b2c66c50af,"4/16/2021, 8:36:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7a03279-b577-4354-a8ba-cd9043271634,"4/16/2021, 8:36:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b1f7f6-4151-4922-b6e0-7b388f82476f,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2817e93e-1c75-4a4c-a0d3-c7ae3ce0aaab,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec24c50-9b1b-46ca-9ad6-ba0dae245806,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb742eee-a738-4919-b50a-fb355dacdbdc,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,451069f1-5030-4454-ac2c-8cd0a32b0e3e,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d980be-1005-433c-90c4-eca6caabe053,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3af1af40-54d5-4628-bc81-ef576932ac18,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d208f07-864b-4768-9182-6ea11fe4dd83,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37d2d314-754a-4f80-8526-be8e1d4bff5c,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec2b0de6-6ebd-4d02-b89c-9ea7a436003c,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7957c2a9-0d8a-4177-9d35-2bd8c92fd378,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85ff60c5-8c34-4190-b514-72aaa370a602,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79b92ff5-abe5-428c-8fda-1ce613ed4961,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff4e5e2c-59ea-4e72-a209-5e7289424b5c,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c09dc57-04dc-40be-a87a-cb128a2b6e2e,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0088ab-c7f9-4e4a-b9ef-db38dc013562,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aa219a5-0aff-404d-abe4-2b376e40bf58,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,798db391-d9cc-46ec-af21-0a1863a91bb0,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db2a2061-4dc2-4b7e-902d-9abfeb923703,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3d19ad6-841c-4bd9-9811-d815cbaf83fe,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e783a6bf-5048-44b8-adc9-989dbc6ddd15,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efd4272-44c1-4a99-a29d-1476ad905082,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,4dacae56-43fc-46d4-926a-81566ff95108,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10744 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,28671c86-3081-4fe4-8cda-9a0c0da7249e,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2d5b3c8c-dc53-4e64-8d47-a74c4ccb0d09,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a979aaae-decc-48ca-8d16-bdda24744843,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 112 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,32b52dbd-1276-4b08-aa5b-84a17c98893c,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,470a2b1d-1f66-43d9-b058-fcc0ebeed2d3,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6972 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,451bbbda-3be1-4006-89dd-5c9b5dbb08e6,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd1d7e5c-3fa6-4023-adf5-0b9fcc3793c7,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,00a9caca-b8d7-4f1c-a70d-ca94ac1251b4,"4/16/2021, 8:36:26.516 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a0db6bd-cae9-41f4-acbb-23ac0f6c6505,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2cb970d-55f8-4c94-8c46-3967507f97b5,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9618bcd-27d1-4645-b7de-f6c6a94f4a01,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34497709-0752-4b92-b2e5-b4bf13841192,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22b51763-de37-4265-880f-b2b62635f1cb,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,161b6514-f50e-4299-b9cc-2c188bfff8f2,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be7badd3-22a7-4a35-bc32-119c242d098c,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a296876e-ee1c-456a-8b81-e24db677d64c,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5de793ba-f5d1-41e6-a2af-e5bb36abfe74,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2933a01d-a875-4d08-b197-e836df3403b1,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\SOGGYLETTUCE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17b5e589-5f1e-4282-a002-96eb673e19d3,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b44b5e-c5f0-45d4-b861-ffc0ae5d99d7,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f790f7f7-e4e0-4f8d-b513-a2d4896c0ae1,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6114c0ba-33d4-40a5-a9f1-29753472460d,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7a8db22-e299-4651-887c-ebaa90751959,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a8bb7ab-af90-4bb5-87ed-ba271a116086,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6bc9b6e-a8da-4767-a2dc-24edbf76a4b3,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3789e2b0-4deb-4119-afca-b2fa0a294348,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea7e620-ddae-47a0-a8b3-880d2d892bf4,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3602efa7-a277-4385-8035-0ae74e7bdf32,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2bf5663-6ed3-4655-a7bf-a590e8497790,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9526918-089e-48a8-a2ce-a712da0cd840,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9b3e9ea-975a-4c38-b94d-f61663985720,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0818fd8-66ba-4509-9db4-88a315cc2d3a,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2cd015-e967-41b9-8088-675a64b70676,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af5e788-b5d3-4d15-a677-f023e192e183,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c279e615-33a3-466e-8390-f3b5af651b1a,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae39603b-e772-4f6c-9c70-aaad8bcbff0a,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,988a616f-8c8c-4c3a-aeaa-d59e3e02ca14,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d297cb68-7a98-4ea1-b47e-8cb954d5644b,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2fe391e-4fdd-43b4-ad5a-91bf1772829d,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ca1526c-ce06-415c-a687-074ccef2ad31,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89bc71ff-d622-41d1-bf9f-1578bf926946,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03068394-6b3c-43ea-8baf-60736dc4da0b,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d32b085-5447-47ed-81b9-fcfceec49a1c,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,1950e702-ee37-4559-b916-b2c12f8252aa,"4/16/2021, 8:36:33.099 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43caf3e3-42f9-406f-bab0-d69be2804223,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e9db8fb-0575-4e26-b084-8f401a6290ed,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fca889a-2c89-4dbb-809c-d74349a6566b,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d18ca138-9f2d-42c2-8550-ff9620a4ac20,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d30124c4-180e-4f35-ba0c-4a12d3f67104,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc3392c8-0ded-4024-832e-dc74d84f82dc,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2246d22c-a3b6-47a2-838b-a8dceacb49e1,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fdd552a-1a9c-4844-a15f-a6299bb7e3e8,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2bcb111-4af5-4f4a-9c74-bec4c66b66d9,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7b7b331-defe-4ea0-a636-15dcf217a7fa,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae6a4ec9-f631-47e9-be62-8ae9d691f8ca,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9194619c-77ae-4e6f-9f40-59e365bc67d1,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54ba32af-785e-4693-a517-821b45046393,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,830b9f9e-c372-4355-9544-deaed4267c81,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d940546f-617c-4350-a6b6-2ebcc7926a94,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a8f3a4e-f65f-4c1b-8ec0-e7f7110a6060,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6238cd5-858d-45c6-bf72-72f3d759179f,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b090b0f-3e33-4cc6-b329-f8520c511c44,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9c4a47a-54ba-40c6-88cd-f6eb8b6fa66d,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b238c47d-08e0-4e71-9613-4a70ec36c63c,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f14ad4e-940e-44ab-a6d9-0f52f7213b1c,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b60a1005-8e17-44ea-9c57-933e3fe28348,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42fc93c8-68c3-4964-a78c-3af8e5b51558,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fc65150-7023-4ddb-823f-e4546ee82de9,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eea02f54-1c2f-439e-863d-2ffb16db6510,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad4beaf9-33be-4813-be28-b0730bac75b5,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7de73f72-f1bd-4490-bd39-5fdda58eddd8,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c36695ef-03a9-488e-b2bd-dfc380090aa6,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,793c696b-ab9d-49f5-ab74-4099d994dede,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cefa2b9-670f-42b6-a4c0-0db30eda5f7a,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\OVX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68e1c3e2-f3ed-43a9-b3a6-7c8f4a6b8b18,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa1b5a12-eeb6-4424-a060-ca7be992af95,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,d984ae20-cf81-46d8-a88d-622f90783a07,"4/16/2021, 8:36:44.852 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,43c325c4-09cd-4306-8485-e424d646460d,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ed7d0f4-2810-4476-b8ec-586ae0e06b77,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c326b6-0849-41b1-9a79-83c4b496d699,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,593997bd-5600-4ddc-a7fb-e91c4f2e5b58,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,93923116-9647-49b2-9733-02c368d1bec8,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8408f09-81a7-4611-97ad-8d2b8bb8098b,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d4c9c29-619f-4103-9d75-e4699409b54d,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,38db587a-11f0-48bb-894a-0cfc9115f2e0,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f27b9791-5306-48f7-a4b3-56ff0c8d2786,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0848532-552c-45a9-89a8-894134acaf06,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f19b5f26-2ad8-4c1d-85b8-6bf32cc15d77,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8302f00e-0af6-462a-93a6-e8a1d0af07a1,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0dfe51a-5d6c-4781-9e6f-b97af34f12e9,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,964e1b60-00f9-489c-9d92-b8239add8528,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3c565d1-9e2a-4638-bc3a-d920d8380f09,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c8400c5-c592-46ee-ba07-1ad0a78ff83a,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,155b362d-4b0a-46da-a994-e93bc278278f,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2b7dc7d-c0f0-499a-9e20-f1112ecf2ce9,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c562c266-3ae0-40ed-b128-e65d95ba888b,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c2051f-6ba0-4f88-85e5-8574a0434a51,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e778bedd-9869-40ec-b71f-0fefed8f6f9b,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db2b931-9c69-4cea-9856-4724233d4133,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59dfee0-5d83-4b63-b1f7-d76f59462f26,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e51aa596-8d28-45eb-89a1-d3d03ce07f07,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9c2e761-b144-41bf-a5e7-cbc62b99f765,"4/16/2021, 8:36:41.249 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff093687-d4ff-450d-af39-11f82baa2892,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc9d04ab-d55c-400d-a4ea-3c2d023b19e1,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9096c3fc-88bd-461f-94aa-3d0d08ff3fc8,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9fb2cd3-ce3c-44c6-a139-4fa8a69e7a7c,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b707b89-9c56-4302-8272-993c149aab6c,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8436 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf30c22-a851-42ce-9a7b-374e987530df,"4/16/2021, 8:36:41.249 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cad315e9-7340-47dd-b946-eb4c0db6b96d,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,782ee1cc-9781-4a37-a3b2-72a80986f05f,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73c8779e-97fc-4fa9-ac8c-94c838ce6487,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fe1f08c2-55cb-426a-8fff-a4fa16bc49a2,"4/16/2021, 8:36:46.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b4b47e9e-3086-4e9d-9a1f-12b7712823a0,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3924 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,741aae81-324b-4d68-9f35-c19693031dab,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5252 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4c329311-cef9-48e6-9da8-f0d694992b25,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5900 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,27cb31c1-7f62-42e3-9b53-e3765bbf7342,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,279077d5-2c47-4b9b-a574-724432e595bf,"4/16/2021, 8:36:46.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c3c63d73-adb6-476e-8820-863f9e224e6c,"4/16/2021, 8:36:46.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c7c128cd-71b0-431d-8bfa-1e12e1ad7552,"4/16/2021, 8:36:46.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0aa46053-e653-4e03-8997-e9ab5fca439a,"4/16/2021, 8:36:46.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ae4bfafa-efb7-4bde-b821-956b472a4d12,"4/16/2021, 8:36:46.745 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3219ddc2-8357-40af-874d-080e3323e2b5,"4/16/2021, 8:36:48.410 AM",,,,,,, +\OVX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b07e9956-e133-42e8-8be3-e0816834c27d,"4/16/2021, 8:36:48.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,64ee7666-d786-43b7-a514-6a92122c21ef,"4/16/2021, 8:36:48.410 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d0e83285-0dd7-4844-b3da-9c92b9a837a2,"4/16/2021, 8:36:48.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1c9a449-aa61-42db-82cb-e91316452b10,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e53ecb-050e-47cc-b78b-ab950e30154c,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a03382a-a6d3-4e2f-a78e-04bf8e297bc4,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb2c9e6-cee7-48ee-8fcd-84e83c68f227,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0633510-bfc9-4ea1-b83c-5543d54c5591,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89a3b204-14c7-4b60-9a1f-ba0a91f6c630,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8597cc3a-478a-417f-81b6-2beec9c13ad9,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbae8df6-c184-4c20-9486-c103408cb9d5,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,455be424-6c38-4fc2-80a3-bea9d8c52d10,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd767bc7-fb35-4e5f-9430-6db84ef2c90a,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6ac757-3f16-4e3d-9a46-e8bd084e151c,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed7f26f3-dc17-4fea-9bd0-e389f29739a7,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d66fc3-8cb7-4c13-8d53-6b77dd915d80,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a27e08-df73-4edf-b551-b3fe80e7c274,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15095765-cb93-4c1f-ac29-dde7d2ea1cfc,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fc2856-bcf9-4a71-b990-7ab3a289c82b,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30a8bae8-10c6-4c76-973c-001729a762a8,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35171675-ac38-4f69-8110-c0cfd4804ac4,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54749b25-96b3-4698-b370-ed4ecfd3e4be,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88f6b819-fd2f-4f45-b4fd-b2c0e7a908b3,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033d15d8-62c5-47e2-be5b-05eaee996908,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0cf50e-bec1-4a33-8749-4298064bfcc8,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14515235-0176-4645-a8bd-73ab3e3f3325,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,326d38ca-0ea4-4b46-83b5-008c8b69dfec,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32500cea-8bb5-411c-9278-c89e88a9809f,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af8b6152-62ce-4cef-a08c-d116f56e073b,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9e080b7-6703-4a9e-b2ed-8f2d6a1a2642,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,270c0c5e-b8fa-459c-a780-4001b0f91677,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dec5e994-0551-4141-befb-6af5fffaa005,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1caca1-2492-47b1-a111-366b0f7db677,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79042d74-82d5-4c21-bc35-71a498947ac2,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,088340eb-b7fa-40b1-9971-21ff39be6b68,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06f00ad8-6762-4bf4-8d60-8ac28c269aa4,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f8e1a9-5d0c-4c4f-984a-a4a84148b395,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58a73313-3b02-4c1a-9b33-575ab13494a3,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6e43b20-5466-44c3-9b15-09af1dfd7d97,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d375aa-afa4-40df-8756-37b9bb81b98a,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a4ab77e-a0e6-4b34-b250-4e68aabfb842,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fef88503-5be8-4361-b3f5-85f9702af609,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39cc9311-b692-4db1-9475-43fcc22bd150,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2bcded-f3f2-495b-a01c-69eb68ee30a8,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec4dca90-ade2-4905-9d85-199a41ab7c1d,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6ced7ab-570a-4b17-86d8-ffd9a64ec9ac,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5805fd7-2f28-4972-ba11-e6b7e456066d,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48fab024-a38f-4caf-9b12-9959d12cb8ae,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\REMOTE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c1dad72-4255-4b34-8905-e816a2835f98,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,831da82c-9a84-4d1a-9ab9-b298899e71f8,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a106e123-db0a-41a5-b2c2-b795335c5e41,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,18f2bc07-9be9-4c2f-a02b-e2b3369a9124,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7cac1db1-1c79-49dc-aa4f-1d25cdca5da3,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3cae2d50-28f8-4c61-b29e-702d436dffb1,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26eb7a22-d934-4e79-909d-0256efe69ef0,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,54179f9e-4715-4255-afb6-d67fe2146485,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5bb0956c-d0d1-43be-a74f-e0fbd7c66e2d,"4/16/2021, 8:36:43.121 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,845c1620-c248-4305-b111-e867fec1b528,"4/16/2021, 8:36:43.121 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c20f2222-f53a-4adb-97af-fbc07c13b469,"4/16/2021, 8:36:43.121 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b3f5a87-bc3f-4143-a25d-d8a3637d79d1,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8032f47c-73f0-424f-94e1-6d317f725c5d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4944c760-d3af-4720-9987-d6f3b1775631,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9eeaf24-e34d-46da-a7b0-e087955161bb,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef81b529-2fe5-440d-b81b-129e2726ee47,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3e8d079-f59e-4a11-b719-61c5ca9c8b4c,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,648b3bef-ddfc-47ca-8216-fc168238162b,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,faa43309-085b-4ec1-97b8-4c911a957516,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a59ea91e-d363-469c-a2b1-d559d84b1c33,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d2143b2-9a9c-4158-b686-67210b748b57,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2ea3e28-76aa-4660-92a7-f9da74edb4f4,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e42f6509-c8db-42a9-b220-babbfcff2a2a,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a88a01d5-a0d9-4cbf-974b-65d887958d9d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc090c97-9549-410e-9423-eda02f00ae10,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42a5c501-19a7-4cc6-b9b1-bbbc1df3d9c5,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc58554-5be9-4f4e-bad5-6ec7782fd106,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d1ca55e-7afb-4537-a0b3-90a0a68c389e,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8793bb0-82b6-4092-9353-71500d60122d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb80baf5-349f-49be-b353-bea307901bf9,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41e72b97-8dc6-4959-93cd-d97268e9dc07,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70edafcb-1c9d-4491-a569-c8e53da75fb3,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e30499a1-acd0-406d-b080-58741246b81d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7dc7aa9-9503-4a46-8fad-027c8f9630e1,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ffa900c-17af-48f2-8e78-cacf912c9949,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15eb9f3f-ca31-44d7-9ba2-179ad5db4519,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa21f8d-eb7b-4aa0-81ad-0ba4ddb146be,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\CONNIE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb79c0e5-4aed-4532-90e5-3035c2c8f8d1,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2442580-5425-49a4-9af5-62518b8b5500,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a84b2a-b47f-41c7-af59-c28ef487e3a4,"4/16/2021, 8:36:57.097 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,637beaf1-c3b1-4f8d-b6b9-23f2115e8e2a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d29742b-c70e-4c9b-a1d0-b85ad479ee4a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6000 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b127ae1e-ab34-446b-8bfc-6e50c12d18b1,"4/16/2021, 8:36:57.097 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98247a58-ba42-4415-9a47-fe55f870b38a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\DAN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9daeab7b-fb37-422c-848b-3604c1030bb4,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,576db32e-7b71-4d27-9754-e5dd6faa8338,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77f2eba4-3249-4640-922d-54c819f0bf3b,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c690194-20f9-4262-8303-7ee7bfd29a79,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c6bfd9f-0635-4217-a038-186ecccecf6a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97070f92-de02-4fef-949f-7e707e9b73ee,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7da358bc-ea6c-4a43-9220-b70468445ea6,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,443ae713-2d59-4b2d-89c9-e921cd45e688,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60b20829-5116-4b69-a2ce-5f1c97dae5c4,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,664ce931-d5e4-48ab-99a4-38f49c86a908,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6379422e-66b5-4ad0-91f5-c146bd8772ce,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b7f00c-856e-448f-a3ba-87b341d6252c,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d1871b-7838-4dba-a306-5a515d98028c,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13576 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d529391b-d35d-4cd9-ae77-898df157a712,"4/16/2021, 8:36:56.975 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1296 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7d878f68-e662-4463-9386-12a343eca2c1,"4/16/2021, 8:36:56.975 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc893774-c46a-4047-b1a2-5166142e7947,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31540f42-e54a-419c-b33e-c13a58b10090,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9d376a6-45e2-40f5-9300-c8569744391d,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bdebc09-8186-49c7-8c5b-db4287171a94,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d4e7d78-f2ef-4c81-8b83-7552fbc674e6,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f171114-081c-4676-9ddf-b2143fc8beed,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a39dd9-beba-4ab8-b82f-1b77d8ffbd37,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,785636dd-5074-4540-bfb1-4c282e6dca2b,"4/16/2021, 8:37:02.701 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46ce95d8-75f1-4a57-b98e-e5495942964c,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66336378-abae-4b27-b5a1-9eed45d660c3,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c918d800-19a1-4666-a6fe-0ff726c0a4fe,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7982ffd9-7350-42cd-b1ed-16667a05df9c,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1823fab-9262-41a9-a619-e579dcfcd4b3,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6db9c598-7b80-4d51-980d-a85f38fbe621,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25c42b0e-578c-4df4-9d92-980b9e4e1e3e,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,646d7fdc-5c9b-44be-9233-557355c8e575,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fefc5cbe-a7b7-468c-94b5-02c3cab2f651,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c995661-72dd-45a2-9b8c-6b935a19de56,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b6bdd5a-f9d5-48d3-95bc-c4da2ac83409,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc294a1b-70d7-4aac-a281-db8e34a6f6ae,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,151dfa94-1996-4634-8dfa-870331620c94,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d79c7ec-de9b-4cd5-bc3e-7eedf960c625,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e16997b7-c84c-43e2-9299-c79f067fd285,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac9ba2e5-aec6-4749-ae19-24f2530e8dd8,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9624789-c37c-4fd1-8543-4b8efd25358e,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aa387e3-9745-4a53-8517-1c5d006dc57b,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e43ef6-202c-4b2a-bfe6-0e8a85859c82,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24361054-433e-44f9-a112-a977520879c9,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d468a3e-f39d-4444-a5eb-80b90a47e699,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c9f296b-82a2-46a4-b774-7a109c79a223,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17b41e5e-2cbb-489e-a758-014e9aa57068,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad147591-66a4-4886-913e-29b4c0181361,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63b48e1d-69bd-4888-b148-820f3004b131,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87e06502-355a-4087-9769-3de7455f7c23,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc3463e-9eac-420c-ab58-5608901f31e1,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,980a158d-70f4-4378-9768-3f42ac1012f9,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deb2eef1-6cd6-469d-b7f4-12bdabbc65ce,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7516631-a666-481e-b807-fd3be2cd8c0d,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,886961b5-4a9e-4602-91c3-b3f60cb9e914,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d6b09d8-979c-472e-aa6a-c975b271610f,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac41e7f3-13fa-45e0-8476-1452e0f6b5c4,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62e31c6e-1573-4d0f-bc98-e65148e998d7,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb875f4e-872d-42c2-99c0-38ea033d2fdf,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2919479-c9c6-4570-8f7d-fb9475236495,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4294e665-4f8a-4305-9f0d-012fb012d3c2,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbed74ee-fabd-4428-a20c-7cf09ba35595,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc550054-bf02-47b1-9a00-5d1471c4f4a0,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac0fb68e-d836-4671-bd69-81da4f766eee,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,391779c4-a68d-4eca-9ac5-d36f6942db96,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74c5bd3-f7e3-4605-b039-45e3d1e31eca,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6776 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95797103-e6f0-4857-9b14-1547e73a4915,"4/16/2021, 8:37:10.082 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dbfc337f-75c9-4d64-9c3c-48077b4610ec,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-503 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,92271cd4-603b-47a1-a53e-17db392559c7,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-501 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9e8a981f-6e59-469b-b07f-09900de60aa1,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-504 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,360c15cc-9652-4508-ad00-740c9ef23d6e,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f2c15544-9147-4aff-b31e-6a06549fefed,"4/16/2021, 8:37:09.940 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ae05ebeb-c478-4c77-abcc-07d077a56664,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3916 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3676da6b-3747-4252-acef-020bd1465723,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7c6f6254-4ad5-4154-824c-a11912abbc60,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,132088c6-7085-48d9-b413-1bad697ebb46,"4/16/2021, 8:37:09.860 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1d540ed-f45c-42fc-a9ee-7112282a2efd,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3272 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a4ac7db1-1f7f-420e-8ab3-fcd86d0635db,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1180 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9ee31a2a-a06f-428c-a419-e15a67b0399c,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cda6f5bf-8a68-4fee-b946-a0bf32dd7fda,"4/16/2021, 8:37:09.860 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,de6d357d-0505-4c48-a27f-9ad8a89de5f8,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,49ef6603-90d7-4254-95b1-30132f3b5f80,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eb1fcb76-9e47-44ba-9325-ae2bd1911e2d,"4/16/2021, 8:37:09.860 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f236dfee-53fa-4b67-a532-00a022fe3afa,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17124e3e-718c-4aa4-9f7c-190fbbf0d891,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb536d7d-a6c1-441d-b5a8-d72d52a016a9,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17fafb29-d15b-404c-8d54-31bbbb268008,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16d8bf69-a3cf-4a38-8706-aff38109649f,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e9cdece-3cbd-4590-b972-50a645fb5ede,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8314b8af-2d70-417e-af08-1fca710ff06a,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29a5005b-d482-459d-a851-249e2cfcc1b3,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626f021c-a386-41de-89bf-502958f16661,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96a59835-889c-4881-adfc-231b0a6c2600,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efbb73f9-754f-4844-933d-a876dfed2150,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21789484-caf0-4414-aa37-fb7b6dd7251a,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b52f8bd0-2d57-4074-806e-d36358cd4bae,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cd44132-f418-47a9-a23e-f1de8c9e5c2a,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53a8871a-d918-4acc-9e43-33e80e5c12eb,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c55c61fd-5018-4eb3-a59b-0e5adf506a89,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab928024-30d0-4735-8eae-606e057ce44d,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a72ef4fa-a764-4a56-8fcb-8035bc6f526d,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5c3e95e-e420-4df9-a737-fdf0490600ee,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57da4013-388f-4d2b-a0c5-41b85b5b4b9d,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a2a203-22fa-47d6-aa9c-2b0168ee1016,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53003ed2-436f-4a95-9bd6-9768e7521936,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28ab3ba8-e00d-4e88-8f4b-b4e5cc7a8c5e,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8f29ba7-bff6-4717-8889-baba24863413,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4941ed75-b312-4093-8964-9742edbcbe81,"4/16/2021, 8:37:13.590 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0894d3b2-0ed0-4db7-bd8d-9244b07eddd2,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a116e2f6-8743-4d2a-87ce-c6fb95254303,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd3348f4-e2b8-4251-9358-420390f6bec9,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\6,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8bf808d-6b86-464e-b85f-d77abe76c19e,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36fa8515-0354-4a02-9726-a995587f8b64,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f2d86d5-12be-4c69-b785-56e840308a7b,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c1684b6-0548-429f-bbc8-4e43e4195288,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56b3fe00-22a9-46d6-b6ca-cedab059c53a,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b34ac047-d527-4c34-8682-83a267b74dd1,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ff19e28-ebc1-4c3a-af29-a2da55f1a0c7,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf47dd6a-3c05-470b-a3bb-da7ab625ea08,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f5d9b4d-8467-40b6-903a-defb8ef315d8,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9ee989a-c586-4a1e-b2bb-dfa00863cc23,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,910b4236-8666-4e0e-99ee-061fef0657a4,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9a8664-264a-4b9a-b411-e6de5e326de5,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,509eebe2-95ee-4b89-ab6a-95e2b1778eb2,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b676b885-a130-4d68-894d-2d51c947e587,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b34c13e-3461-4061-b4da-9d856aad09c1,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c66b90f-7c4c-46df-b41f-29447bce7a43,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddfe6d43-6498-45c5-b9ab-8a60e2e7ef47,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8aa6b515-3499-4b02-9658-d70dee1eb7b5,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8a8a2f99-fbd3-4e68-9a04-bad40d4e52e2,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f462c7d3-d302-4c5b-aede-56d17c482150,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,4929572f-8e64-4cd8-8fca-a9b315e70826,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b5616576-8095-4c48-bf85-d964b1a2ded7,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,83e3d786-3574-49ee-a0f8-313920a7a6cf,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77abd37b-c635-462d-953f-875685147211,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c21669e-90a3-479a-8436-cf4d6d7d887f,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98fa86cb-2be8-4da2-a471-562afbd05a2b,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,69af99a4-5e28-426e-88dc-7f058b7a2d8f,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b3c7261c-fe26-461a-99a3-8c8064a9321f,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b14b3ed2-57da-47df-bee0-4e3a1bdf1da5,"4/16/2021, 8:37:16.045 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bccb87f4-e82a-4e94-a6c2-cb219172b428,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db0542e7-c6d8-45a1-9b89-cda85d5e7399,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dcbd102-c898-46f8-a2d1-6c69e9833ae6,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a496cbed-604f-458d-8ef5-0f2787da41a1,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f3318d-0a8d-45e9-834f-3e1849938b76,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,188be28b-e21a-4b9a-bb7d-189dcefbbb66,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f85432e9-f34e-439e-a0f0-021741a6b395,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa6f1801-b3e7-454c-b978-d54d1530cfb9,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bd9ce77-cc09-4059-aece-d55dab0db04c,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99050588-ff62-4154-b895-b0ee86fb6e40,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14f18600-d1b2-4939-8e53-c3dec78917f4,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,314b003a-1a8f-4fa7-8f43-be9bff3acbc5,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb80d1d5-46d6-4bc8-b9f0-eaefdc0393bb,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8a29deb-31e8-4f06-8795-8178fa8c960a,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aff78523-83d4-4531-a419-8dcc53f9e33d,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e229da40-bcd4-453f-9ad3-d1cadba91533,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd65aa8-bfc6-4268-9910-38d21d790590,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae127e1-0840-40f6-aca3-c17474d96dd4,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bf1afaf-6379-43ae-9078-4dd94c091d28,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f6c011-c3f4-46cb-832d-1ef6d138169d,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15f1895d-0f42-40ab-9fa1-b1dfb6e8d0b7,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1856bc-61f4-40a4-8714-93e296e7668b,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72ec8c70-12f0-45ef-8b08-5a249d5cca2d,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6e96c1b-3b09-485c-9d4c-d4e3afbb9466,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96e131b3-db12-40b3-be7c-c395a99e248f,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\MAIRIE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bea5fc7-d110-4a25-b918-b7c6d9332237,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6027b85-9fa7-4d93-b6de-362fc3e338ff,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82e2fc23-28e6-4e8a-b76c-54e6b6331f80,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,588c89a5-f296-42f0-87a2-b4cd6bfc6248,"4/16/2021, 8:37:24.097 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ff09c4e-6096-4edb-9a0c-aa9fdba92c91,"4/16/2021, 8:37:24.097 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a6a7b05-1543-49e7-bf9a-4c5e41eee10a,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aa73913-4b76-418d-97f7-5cb9f439a6c3,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2797e28e-15c6-4fe0-97ac-2cb5037a3af2,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6036 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,33f6977d-fbb6-4f60-8dfc-3a241ac9a9fc,"4/16/2021, 8:37:24.097 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2c0c6b2-9790-43e4-842e-81a36f58f053,"4/16/2021, 8:37:24.097 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c49f3be4-b337-4bf2-bed8-bf8fe1aeb981,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,674017b6-7040-4081-a66d-6b252a45b018,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d456242-9981-44e0-839b-6b782bd43a3b,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74053bbe-ad74-4ad0-bfb7-01b172909581,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ce1fe3d-950b-43eb-a6f0-f0fd3f32e395,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73f8e029-c020-4721-9e96-736ea9bc5198,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2122f113-859a-447e-a060-347418a599a6,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c3f42a8-7f65-47d8-8313-684ac8558121,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcaa455c-034c-4701-b8c9-e5ec01c574b7,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1916f186-e8b7-42e7-9b32-e85856d7f659,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972d6629-c92e-4de3-af89-4fc8d0271ded,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a03a19-88b0-45de-ab88-b4e50dbc9591,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,165d360f-1924-4da7-bad1-1b449b5ee2ee,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\WGONZALEZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,394ff904-e6d3-4e26-bb8f-96ad0bab5acc,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,067b83ce-6eb5-4e96-90df-445b9253935e,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5991859-5f31-46c8-9c54-87b2dd58e6ac,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48a67e74-26ad-4242-b11f-652fb2a4084d,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e51089e3-70cd-410c-9fd3-1a977d847c85,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8de7251d-15bf-438f-8ab9-856c1375e6ad,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e04245e-2509-4758-9cbf-84d421acd3bf,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31c4ca65-81d9-4121-ac0c-69ed25932c95,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6b401f2-fe2a-4c1b-af3d-138d02fc2fac,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7852f8ce-533e-4e72-a68c-9fb5f0210491,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e45c145e-8715-43ff-877e-1744d23a280f,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b16055b5-8b0f-4fae-aa35-8819e905ec30,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca428e52-0d79-4427-b044-6d7473c75bfc,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f34bb38-2e3f-40ff-a22e-e6c3b4ddf566,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcdf0e1f-bd82-4197-98fd-3a2f903d7574,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,227298fc-77bb-419b-a6b2-836376eda83f,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96b1065d-1ae8-457c-8135-ea7ac5e94fc6,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,848c13d9-935b-4f38-a7a0-0a3d3355be37,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9e021b4-350e-4101-89f7-431111c1c73f,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e9c5de1-1bb2-49b0-8747-146b72766b15,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ff9f7c0-29e0-4438-ae81-45fd71886f98,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c96163d2-d103-48da-843d-35e53b22ddef,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06668853-8c48-4406-af7c-1d7f11ac154e,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2665d469-5a27-476f-9230-e4d0b671890a,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6d59c11b-eb7e-4d7a-9e6a-1179b0f05242,"4/16/2021, 8:37:24.417 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e52c37f2-1eb6-483e-a54b-dddde4fd10fa,"4/16/2021, 8:37:24.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,61e22481-d061-4991-9603-871bb5360426,"4/16/2021, 8:37:24.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a58dea41-f327-40a3-87ab-97213fb8a109,"4/16/2021, 8:37:24.417 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,34d5d9fb-9e77-4d16-80f3-38463d5b7f9a,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8ab72690-aeb1-4cf9-b82a-1423394e498f,"4/16/2021, 8:37:24.417 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e65733b4-3ff2-46a6-af1d-51d284c83e46,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7f14708-22b0-408f-820e-264b9a3de01a,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c0e495-0873-4032-a42c-2071d9bc2452,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,505df65f-80b7-42b4-80d6-368b176009fd,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39a3c415-de08-4716-b7c1-45974d2d54e9,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4317ddc0-2305-4bb5-a92b-b226517a013d,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62185d14-c9b2-46f4-998f-414e5b07ea00,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7afc7a2-2c41-493a-a037-4840e6740023,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3467d71-6a1e-4285-bd17-c141f8db0f2b,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12672ff-da1a-42e6-839f-035484f91466,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22b348c9-177b-4f6d-bb44-1e97c412e40e,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c5b9cac-fd2b-4ebe-b213-2f1c2769e749,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75a86fec-99f6-46aa-85bd-5b6968c1593e,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7656c16a-f19b-4119-a35e-998bbe06e385,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,772e5f5c-38f9-4018-962e-e8361c29dd6d,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7467bc5-551f-415f-b8a3-9fa66dc3d7f2,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08119220-ba04-4269-a874-e6f62d3724c9,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e20c5ed5-3d14-4907-a9d4-9363add6b7e2,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,108b72d2-bcbd-44b3-84ab-38ca4a7a4b14,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96d7f61-5499-4446-b7a3-cd126e42ab0e,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce6ab8bc-c104-4984-9804-6c4c98834f69,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b95fdeb9-180d-4ee9-b3a8-d6ce49895da1,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,67ae959a-12d6-4511-a31e-b24a72df40cc,"4/16/2021, 8:37:32.097 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,228e668d-c14c-4fcf-80d0-c1361d4f7541,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a639f7-c95d-4751-85ab-0de5ac6730c2,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52cdaaa3-a940-49c4-9536-dee21da5dc11,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e4b5d1f-0d25-4d1c-b3bb-615c607d962e,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e1186eb-56a2-4468-867a-a70d4727fea0,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abdce2c9-d13e-4c69-9e75-320296ea58a8,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab625ca0-fc3b-445d-9896-5a4b8ec98453,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8a3e848-46fe-4021-a8e9-fd414c0b5f2a,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8a6f0ed-d142-47e3-8a5d-9d7c2dce6e67,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80b2b43f-0a69-41ad-a5cb-adc2eca9e4e7,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48eff91e-662f-41a2-b8e4-59fad9dc246f,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc1c93cf-53ee-4462-91d1-16bd25f796e3,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05ed3177-b5bb-4778-a708-eb893b79fe35,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9f5ff83-f9b0-4114-875b-361fd1a750b4,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d0acb50-5c04-4216-9cbb-bfae1c3e208a,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7ebc3b5-a0e7-4c02-a6af-efc41151bec2,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef76250c-8134-4a9c-b76a-fceeed2f356b,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2059131-ab4e-40e1-87d7-66f40fe6255e,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f98d4eb-7dda-4080-85e5-b36e31b64499,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea200909-d194-4170-9432-22f279eb2ab7,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54b57857-ce3b-42f0-8f70-f199b2c97863,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9374e7b-4c37-47be-8de0-91dda6ac59b2,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,980ea27c-c27e-4475-8398-14781657aa5c,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fff170df-8e3f-4f34-8d2a-0248cd0d89f6,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ca6e47d-27da-4773-b4c4-a5fa0ce375c0,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a459c36-0480-47a1-9d56-ebb96bc86728,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f99d720-f8d8-49a0-9b0b-37d8c899ea3f,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cbe5d82-ce4f-492e-9eb4-15353288a9a5,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae061a3-e15e-476a-982b-0aabb81e4e3f,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c652545b-5608-4027-a28a-b4115a63810b,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a48dd9ba-4cb0-4af1-b2e8-bdb7cc37ecb3,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ab37047-8ac2-43bb-b283-4d81da78d0a6,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,143da79c-3bf1-4f8b-aa67-ff8161a6fddd,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f920365-abde-4705-ba60-3f03f821f77d,"4/16/2021, 8:37:39.182 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b46e527-eb03-4211-8938-cebfe5c176c9,"4/16/2021, 8:37:39.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d214ecd5-fffc-4a93-82bd-b5b0e48c8ca6,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd431c88-a18c-4b0f-8b0f-7439b41ec7ff,"4/16/2021, 8:37:39.182 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,76e64154-54ff-4394-8de4-9888df8cf41b,"4/16/2021, 8:37:39.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71cb7812-9c93-4a36-9c2f-c4c6b96958fe,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15ba85ac-89e2-4a99-99a0-85bffd09dd9c,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f834cdb7-530c-43d5-80c3-e159123fe2ef,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba5c0e27-ed41-4e5e-b4d1-b56cc6825f3f,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a5e55a-5f49-4cf0-bd76-89c88f1807f5,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b0842f8-008a-4cd3-8596-3ab9c53669e3,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1acbcc6-4000-4d8a-af8c-bbaa320bbb20,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c006172c-2ade-4f34-882c-9718f470c707,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3ca0931-9415-44da-b94f-e51d264fa850,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e38c92e0-4ee9-4091-93f2-03b07ef34931,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b76ebcd5-540e-4d8b-9788-99799066f2d3,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c1a4d64-4f75-42f3-81d2-455a7edd0215,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3107b517-10ff-43d5-a38b-0040c9ba2ffd,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9109eebb-e723-4607-9148-a4d649362200,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdeb585e-d1d4-47e7-94d8-f3165938fa6a,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75b2a995-7f60-487a-94d1-89a41b2dea41,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8b41a8f-0287-4ede-af51-10836979fb4c,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b942969-1054-4825-b245-5bfd9bbab20b,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5f275ba-3407-459b-a5a9-ceb2bad78cd9,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,559da9a2-cdb5-4be5-98eb-0520bcb0b38b,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\TERZO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,589bbd16-bfb4-4b83-8739-1b9484660a39,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbac21fb-3a88-4f47-85ac-2f91dc6c3e5a,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,362e99c9-c9e7-44aa-b127-93f8b90e7d93,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a3053e6-f649-49dc-bb60-00da49b05b4f,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79dcf6c9-0a5d-45ea-bc6c-c3a1c71f531e,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff7bdc9c-cf5f-46cc-af97-9b61b3b893c1,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24998e9a-0002-49c7-897d-ba829447b761,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6fdc799-5541-44e4-a7b7-a4cbfddb4a2c,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1ac25b6-ff7c-4f3f-b26f-e1bbaf550e0f,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2247b708-384d-435e-b974-9c18df0968d4,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d99f1e-5acb-41d1-9c63-f9eeaf87fc83,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03ee9643-2467-4789-994f-0b80750f3bbf,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e242836b-7027-491a-be15-b4457b942fe0,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68222299-9551-4e6c-abd5-6c177aeaf564,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2bebc7-f38b-4923-9275-b83d338ada7c,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f6e2b37-abf5-46cf-b064-81334b0e6b9b,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa9eb622-9be4-4ed4-9190-786a4ac7d3cc,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11024 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,6fa8c6ff-6619-47da-8d8b-33717b970dfa,"4/16/2021, 8:37:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6440 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a9df662e-aed6-43a8-8e6a-c8346da58ce1,"4/16/2021, 8:37:49.270 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a934922-f7b8-43f1-9f35-fbdfdceea6f2,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,807bce04-331b-4a66-a5fd-48f6f597d9d8,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e3e0fec-324e-4c12-b781-6c217303737c,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,843a9e97-22ea-48a6-987b-9860760bae12,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2c2ef84-c2e2-4b65-a784-53a458d7df4d,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68a152ef-cb8b-4621-9959-f9132b32c175,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61d45a31-340a-4847-ba78-1f27d11ce002,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2803f162-8e71-4ba1-8bbe-0d29959e0bdb,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c01213b9-0c9c-4130-aa72-a39ade118a1b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b480e574-f8a2-4493-b4a4-ea3ff394b29a,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b43a7241-c603-4e08-9744-8162524c9695,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b25e4cb-11f0-4487-ae03-f87eb8337adf,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1ce5366-3a6c-46f3-8278-a747b5c31d3b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9eb77e9-cb29-4cd8-beff-04b24e72188b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a300840-67ee-472c-9b9a-f9cab2192396,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\EYT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2be6ee32-5999-4169-b1d2-ed977953059b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0feb7954-cc5a-4675-bd43-f726e299d545,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61a5ff9d-d42a-441f-aa6e-7aa2e988a6ec,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf7bb53-2f42-4e9b-a201-75fbe7e34abd,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,817193f2-f2a5-4174-994a-60657d1f7d6c,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,112d1918-778d-4e19-aec4-697116d02cbc,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc5af137-a8b8-456a-a05c-a1ae6748765e,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a70d9301-73be-437b-b500-8dca9a42ae11,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fedcca7-9a2c-4f53-9110-142c90fe4219,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f527235f-ef03-4b02-8875-3612969792d4,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e906f738-7d32-4779-b6be-9b688aa14a11,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d27b0dd5-1d21-4c64-82ce-2d5cee7bebc8,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd9063ec-b254-4117-a4e7-4e5ee5861fa6,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fd75111-4a2c-4a2d-a99e-ac7c066036c8,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efe6d10-02ab-4d8e-85e5-5e08be23c47d,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cac0235f-ab9b-4315-bb92-7821fe257166,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,904913e8-696a-4517-b64b-06f45b94ab5b,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0025a72-265e-42e3-b2b5-5f753dec259c,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\BO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5422eb9b-4d1c-480d-9c4e-ca622b03d072,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09e9c4e5-b2d4-4579-b8ea-1c8a81956e9b,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1076964-79e0-49f5-9894-6bc102b04fbd,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5df64178-61f2-4052-912e-105e0fe9d22c,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,384c559d-025f-44af-a809-f4e8dc6c2515,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad85f62d-7a0c-429e-8724-43d79991a0d7,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f980d124-2794-4319-a907-46066a304aa2,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff542810-6d12-495b-825b-1a1b1299aedd,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ae91e1-e2de-44ff-930d-930c0ec75b00,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e1130c-b573-4944-acb0-f8e2ae9a8184,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca5196e7-ee2e-430d-9612-ad97847581cb,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6314fc1-66b3-4e99-92ef-40d9634e94e2,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d2fb490-e834-49e4-888e-a7634074609e,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e8aba4-885f-4ca0-972d-fd3625ce99b1,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b54fd349-1bd0-4dd2-bcf1-cc4275ed73d2,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419b219d-ea39-4581-b2b3-cd1c0bbe7712,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c85aa597-7a66-44c1-9571-733126244bd1,"4/16/2021, 8:37:52.046 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1cf81da8-2d19-4370-ac92-058ab415ca18,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0d8911a6-be34-45e0-87ca-4c097a12ed0b,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,710b9333-1929-4eb4-8c75-1c34494ca7ce,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,288fecfe-cdb6-45e1-9c8a-8ab5738c9b32,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c6e00095-db31-4e0d-a103-71e3cc926955,"4/16/2021, 8:37:52.046 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,61ab86ec-7f2e-4ac0-9018-2c26a0cb7458,"4/16/2021, 8:37:52.046 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a6cb3ce9-78ac-4d26-be1a-13d733c91305,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,08381f8d-91d5-4d42-91ec-f3a1e892fc00,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,28f0a031-c25e-488d-8c66-d016e566918d,"4/16/2021, 8:37:52.046 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6264 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,81121f70-aef3-4ba0-a383-b51bbf7f5497,"4/16/2021, 8:37:52.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6408 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37cdd1b8-1f4c-4086-b4f3-b4a120d88a28,"4/16/2021, 8:37:52.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6e8844f9-af5c-4d04-89fb-be9551d4e314,"4/16/2021, 8:37:52.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ba9fb88e-573e-4e09-abcc-26867b27b9a7,"4/16/2021, 8:37:52.743 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f0d9ae4b-5f4e-4ff7-bc2e-ad14f1aa8122,"4/16/2021, 8:37:52.743 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,959d5996-0993-41ed-9a6c-70f89678abc4,"4/16/2021, 8:37:52.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13600 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,898168ce-7baf-4693-9c07-04f83ae7d244,"4/16/2021, 8:37:56.984 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3480 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f07618f7-9799-4753-a3d1-74dff273f2da,"4/16/2021, 8:37:56.984 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cabf8f29-ea87-4cf7-9022-ce27263b98df,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,effd478f-38e1-4b3d-877c-acc3f9db96ac,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26c2d1dc-9f02-4374-add9-5d3cbe06262b,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,967ef117-0610-4cec-a025-ab748b2c4f82,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f555f86-b31a-4905-b2e0-6c9871349142,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425cb1fb-42b8-484e-b33e-b5fe8b88c9ee,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec76d1ee-14bd-4d8c-b90d-638c9a6c629a,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c63944-5585-49e8-9e5c-084c9e72bb34,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3bd079-89fc-4388-9ff8-4abd586c0202,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fb06f41-a162-4370-a4d1-388553972428,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5367a474-86af-411b-85d2-3c20be4e856a,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,868c3b0b-d91b-4f89-8827-62c965c2ff45,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1e32180-6e25-4223-912e-5d00ee7800de,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13e369d1-44d3-4b8e-95c0-59a42db08961,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63cc6211-4196-4d54-8b88-1d0a75e5020b,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,709711b4-8b63-446f-a13a-63f4c95827ac,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24a4cb2f-a603-41bd-b06f-652d6c09c48b,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce1decef-c40a-4972-a762-2d0c94198ec2,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98da8e91-c956-4fbc-9e4c-bd2edfa10895,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd96e0e4-c7f9-43f3-97e9-972fb34976c2,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\FTPUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa5d3ee6-b993-4ab1-8009-ad7923a4ce9d,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab231e2a-1c62-4326-a0a1-11e1b525e33c,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,647d0534-e187-48d5-b42c-b68d33b9590c,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e2ef6ad-543c-4ebe-a6f0-c05ef356cb26,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9448f84c-e8e0-4cdc-8082-dd3aa2fe98af,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bbcfb16-b6d1-4961-a532-d4a378005727,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60cb5177-2fa1-4d46-ac5e-02be5b6b5f52,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5206a2ec-5741-4f1c-937d-3cf0c1c0fe4d,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,346600a7-1e1f-49ff-a499-6520291cd3de,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,743d0758-1423-41f2-a191-d9aa1c77de9a,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed3ea9b-0ee3-4bac-be1b-2aa3ba3e7099,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c53b6db0-cb50-4841-baf3-e709e706a003,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9568986-83da-475f-a65b-3aa18a98dadc,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4a109a0-ac8a-447a-b0ca-79a9d10f0d42,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92e21a53-ed2a-4c10-a484-8ddc6d6ca1eb,"4/16/2021, 8:38:02.597 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d026788-5da2-409b-b05c-8b78178a22b6,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62afa59c-2c0b-4fae-95f8-33cc35d13a4d,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48fbf715-dc59-4cc4-a868-576e9eca3348,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86f8db6c-8d52-49a4-8daa-d9163b7dff47,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c90ba273-5b11-463f-b936-8e182f5c976f,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f28d3dea-0109-449c-9872-d0c4f908632a,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2bdcee6-19bc-4cc0-94ef-eb5ffb8fbad5,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b764dd54-f64b-44ca-95c5-28493874494f,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2ab5585-1184-4e3f-96b1-b0c46a58ac80,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b56ab8cf-f629-4b6f-9263-463726d768fd,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb05010d-cb40-4bbf-8a16-3cedc8aabda7,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c69b098c-0cae-4fc2-aad3-190ee815be87,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a397b70-d31d-4200-a683-915928bc1634,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4443690f-a6da-48f2-b316-aabfb9db3730,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f44a3e0-3cf1-43cf-849c-e055f5d2d2e3,"4/16/2021, 8:38:11.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,abd5a99a-6e82-4f66-8d69-081aec1f5fa2,"4/16/2021, 8:38:11.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fe26b74b-d868-4c11-9ab8-856a9c785ca4,"4/16/2021, 8:38:11.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc9a0026-f239-4e5c-8582-6c16d935028c,"4/16/2021, 8:38:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,380b8455-ed62-494a-b238-9b73d0225dca,"4/16/2021, 8:38:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6614d9d8-a312-4e21-8e16-f94bf83cd18d,"4/16/2021, 8:38:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1596 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ef955a85-76c1-491f-8734-086ab414b1fc,"4/16/2021, 8:38:11.411 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e43fecd-5922-421a-a8bb-40be61ac5601,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53a7b8d9-ad8f-47a0-a52e-8a4e17e87ddc,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07d839c1-dc8b-40dd-af3c-ca7eea8e7809,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50da1a70-1340-49b5-b49c-df2ccbeaf87e,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9f30765-1dd2-4bde-a305-8809870b29b7,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b893a45-a79f-4b7f-bbdb-7daf86f25e23,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a0507f8-e5dd-46ab-98ce-52420deccd59,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ca6094-a9fe-4ab6-b007-924091d764d3,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ddc30d4-c3ad-4124-9d51-9c05fda47fed,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbdc0388-3c1a-4c7e-8eb5-148448e9c23e,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f40ea3a4-dc6e-4ca9-9442-7d0137d09eb2,"4/16/2021, 8:38:13.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca575f6c-ee0a-429a-9459-fb4e7920f9a3,"4/16/2021, 8:38:13.112 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf069959-b772-4a8a-99be-ea511d1f8c09,"4/16/2021, 8:38:13.112 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df126e2-4f9a-42b1-a782-ed86dce62f7a,"4/16/2021, 8:38:13.112 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b7ebc16-bfae-412f-b58d-a65e134474b4,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b26df5-6f71-4888-834f-41123f599b2f,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e4065e-214b-48e2-a48b-1f2e1e763222,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26cbfe69-63d2-483a-87ec-e9ec804ed10d,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21021266-f5e3-4d65-847c-c9769280dd42,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6584 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef375430-3f26-49f9-b779-4ec2fcabf64f,"4/16/2021, 8:38:13.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1808 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b48d08c-5865-48e9-8c92-3f6fe874ac4a,"4/16/2021, 8:38:13.112 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,303874e6-759f-4012-986c-98db89370ba4,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,420cd318-818e-4430-80f5-8282a67c3a0e,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2f6c00d-1e42-406c-9cc3-cfdd24407946,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dff0a436-5480-4c9b-9088-23c90851ab7e,"4/16/2021, 8:38:14.594 AM",,,,,,, +\HP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4c42be6-b22f-4ab1-bd45-810f86e3088b,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df03c145-df29-41a7-a8c6-7d9f87c648f1,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56906bf7-fcc3-4b8c-9068-de91e452abdc,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88781358-7d4e-4b14-9b04-4732dba2d680,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8b64d50-5c22-4c29-9f1c-74f5279df744,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a332cdd1-9dcd-47a1-b490-594eb3e83b23,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25ac4b1e-04db-4eac-85aa-f12225479e9a,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,223abc78-fa7d-4e30-a1a4-8ed375d9ac4d,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08650dd3-3f0d-41fb-b49d-8809c88a997f,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,195ca4e8-c195-4f5d-ac3b-e43654c4a2ed,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf0b15bf-fbd8-4496-9c01-76a7fc893c51,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,526ea6af-1475-404f-8ca1-ad774315e5cd,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9d83411-6b80-4ea7-8360-845a6ad2765f,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e2086ae-6e03-4997-8e3a-691042a40d75,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb8e1f90-1b53-4611-bb06-072e35e5b80f,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14295576-9fde-4cc5-84d1-4bf17670ef26,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa353f10-1d95-4c1a-9ec1-1289ee2374bb,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afae2745-6cf5-4cfa-a2cf-1f34afd0926c,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51bfe23d-6dec-4bc6-9947-1193746e774c,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948f68da-4acb-442f-8a50-0f2359d10ae2,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b9bda7f-3342-4d80-aae9-548572b583ae,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3f04629-c0b0-4210-816e-7235b3553f6e,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,704b15f7-6c96-49ed-983f-3120f3e83e49,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ConnectServer),Root\CIMV2\Security\MicrosoftTpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,553f9819-714f-4b7c-a2a0-b7e16edfde46,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"Root\CIMV2\Security\MicrosoftTpm:SELECT ManufacturerId, ManufacturerIdTxt, ManufacturerVersion, ManufacturerVersionInfo, PhysicalPresenceVersionInfo FROM Win32_Tpm",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3fbe78b6-8970-45c7-921e-1b39a5a72117,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,564b2fa3-e2b4-4fca-afeb-44f008fedca6,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1846d586-19b9-4996-b5da-e550ab6a36d3,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3832f7ef-0892-4f71-905b-c16c1a69036b,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,26948dd6-2538-4915-a3a6-95e25210ea10,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dba30fbf-b613-481a-a607-3310c1160870,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,092b2ba8-2fd1-4bfe-807c-f42b5708ec4d,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,936b35ef-7ed8-40b9-a459-2cc4d2dce91f,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7f034557-ff13-4c99-bf66-deddc9ff3ff7,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 392 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,34ed6cd1-8351-43b5-9b9b-7521c84a6adb,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8440 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b11987b-59cd-4c63-adc3-01c6f7d1a727,"4/16/2021, 8:38:21.882 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,0f74ef71-87ab-442f-9865-40b8fce3f789,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-500 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,10fd92da-b2e7-49bc-90e9-f223c1f1088e,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-503 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f5804e2a-a9da-4451-89d5-23f45da0199a,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-501 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7b2eac1a-edd4-4c5e-aade-d7cc94492644,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-504 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c7dd17e6-f5e2-4176-afef-11de61de0c7b,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5b1e3e24-21db-4c11-a981-7a1c9849c88c,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e22be265-b771-4664-991d-eb8dae2319ef,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,64763598-833e-49f1-9a62-d9986a440a4c,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8fc5c722-fc02-4e73-a971-739b7fd3e4da,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a1ad9485-72b0-4ea1-b82b-01f812bd03fe,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f6e0227d-3638-44b1-97ce-d05b3e7b839e,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,75906096-8907-4d78-bb92-bdb18d9db40e,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c0ee008-237e-4aa1-b41e-a7b9d9e203f8,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fc3311ad-7037-4c7c-a4d2-261ee913f305,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,647a2917-3ead-4470-84f8-51d3a1c19109,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a7a2d89b-7566-492a-b1cd-09a1acc5757c,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ed7a8dc0-33ad-42f5-ab7e-b18544e5ea95,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f2359099-3795-486c-b5e3-fa12defb6eae,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,472d2c15-aee0-4b92-9296-c6ef972e9fcf,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,18924618-ef6e-4e4a-9325-1d27dc29d898,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8d2478c5-02f9-4d13-b535-2f7c23a8d93f,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,abd335ad-4c30-4331-b306-344faf7a593b,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b8e1e554-5cb8-4c79-bd71-b1277b41c651,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,51c15961-4ff2-4928-9adb-4c03a61f7a5a,"4/16/2021, 8:38:21.882 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,822313b2-2b23-41a7-905e-06a3b7607dd8,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,369d1f29-3b01-4240-84e7-5295e2e837c2,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,18551cc1-55a0-4af6-8218-781ebe560d6e,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2b29e707-62fa-4d5e-9cda-ad792585280c,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10740 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8f82bcf5-3443-4885-835f-ba860cab159f,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12504 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a21ca058-1be6-4300-8d2c-080a5b5b81c2,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6440 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a4669706-1068-41e9-92a1-15d9f2c584b0,"4/16/2021, 8:38:21.882 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76449dcd-82f9-425e-b77f-6f6f0cac7050,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,23cb0a36-f4db-409d-81c6-ce37b8be8750,"4/16/2021, 8:38:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6271a50a-74d8-48fd-ba29-1a3fc500b94a,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4044d165-5f70-4766-b37e-87008fda446a,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d19a82c5-4cd3-4184-9849-b034a83815a7,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b936deb-f26f-43d8-9bb9-7ba91e31c74b,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4252 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dcccbb6-d436-4e34-9189-41224534ccf3,"4/16/2021, 8:38:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b67facaf-3950-492a-9e01-9aa4c2919869,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f4f18bf-5140-4213-838d-c952fe2b3786,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,744b2e61-1960-4fe3-8344-5844894a8ec2,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55702e9c-9246-4469-978c-19d2ebf5f911,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f2064c-4c8a-4a7e-9d32-b639b9f87184,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43990842-cf01-481e-8498-27202bdaf496,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d70f7ad8-69a3-4bb3-b315-cbad3165d3ec,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04252d24-3d9d-451b-b36f-18f58b12acf5,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b5120a2-b02c-4b00-b896-ff4213e20429,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03ce5e6d-642f-4b81-b6b2-d33dc7110a7f,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f01f3a-5a05-4379-8ccd-59413e2cd5fb,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e4fab94-7071-451e-8e26-1d03ec981e1f,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb6a5f30-f95f-4326-a4f9-25e7ed1a0e73,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,123bcc03-1742-4bed-9d5c-4597cbee9b6b,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,746a73e3-8ccd-484d-bff7-b98f91d5b4c1,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4232d825-29f0-4f9c-9e71-3f711efa2bfa,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbbbec41-975a-43f8-9fb3-e791adde5e01,"4/16/2021, 8:38:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,86342683-35f5-4bf0-8896-562e6d0905f2,"4/16/2021, 8:38:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed496a8f-f238-4d5a-ad11-1bf8ff540a2d,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fb967bf-f66c-484d-9603-8b0cb6365c9e,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66200ba-7430-456a-8a7c-a68b0170d414,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7356 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a60ad1c-845c-432c-94c2-0342abf40688,"4/16/2021, 8:38:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ff005ae-0dee-4f20-9f58-f9db681346a6,"4/16/2021, 8:38:20.116 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,15b963d9-4d21-45fa-85b4-c433aad1bffa,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,10837e07-d15d-4099-9e0a-dffe489bc140,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a59a7c8a-4277-47e1-b7f3-5fc6f621c502,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,392db093-9754-435a-b963-d9875c165654,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2fd8a138-4064-4303-8881-9649521cdf24,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,81b7b992-859e-4e20-898a-4a080b92fdfa,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ed6dbff8-8374-482a-b5f0-3b3a91c47fd5,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,df32c303-d0c4-46f3-bc80-0f1a2e12790a,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0ddfe0f2-8ae6-4e16-bb9f-7160dc6242fa,"4/16/2021, 8:38:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9848b1f5-7576-4352-97ef-cbffc756bcb2,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,19824cf1-861a-4aa1-96c3-ec11076991bd,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d0f0350-8a9d-4821-8678-ef2603a742f1,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b32810ec-3472-41b5-b762-0378467e9f93,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ee40207-a043-44e1-b139-54c8693c2643,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6292 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,80508cc4-b20d-4e45-aa95-8d9f3fa48e6d,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f5cba212-798f-49a3-994d-62be5e08344d,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5344 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f6938ffc-aa13-480a-a07d-03f0a5db0748,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f08cea3-4404-4cbf-ab8b-e0734630811d,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1140 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,64ac2868-5e21-4c05-abfd-25dd1a45350c,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc196200-4d59-4830-94d5-57d075f79d67,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5d9ce72-3c25-4fe2-8f1f-fcb9cae00383,"4/16/2021, 8:38:26.559 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,761c34b8-08a1-4efc-9863-2fe008150d37,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f64e1f2-88fe-4456-8cce-08bf024c9980,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bced050-245e-41e7-a8a7-cdaecbe84ca7,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55593bf3-08c0-44f6-83dc-7f9b4f8a3416,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f049a68d-efa4-42c4-a035-c96c3d6808d3,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d908d384-8d70-4067-a00c-46cbfa72fc05,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd2c2df1-ec73-490c-8ba1-3623567e2d5c,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4493b8a6-d8ea-44e0-a6be-58a70495ce34,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2450da2-db7c-499c-b0c4-0d9cffd10465,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e297330-0404-48bf-9b77-7426b2a0b7bd,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87a635dd-4bf1-4ba3-ab34-2b99b90c832c,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6a8c23d-f04c-42c0-af9c-de051367f9f0,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d31a9fdd-4d19-4cc9-b303-68f8e76f42e8,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33c03b2e-6c59-429f-9da0-686d8ec5dcf2,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79d43c9d-6c55-4035-9fa3-c18a45915cc2,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6f5b13f-4d78-4970-a933-a634cd5797b9,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3ed1a02-3678-4691-bb05-7905de219d89,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,553f4cc9-5afb-4857-a498-1229ef502378,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\OBED,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38b52172-ad85-420e-ae00-80f0a2c470d7,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c72c14f4-d3cd-4e99-bf2e-2b79c9891bcc,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee28241e-875e-4f4a-9298-25d2c51b0916,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1572860-57b5-4b4b-ac2b-13f9f332425b,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a267b9f7-4f45-445d-98de-6d2c1e98ee25,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ca14a3c-791c-4234-9ad2-781a07a72541,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d8aaf4-03ef-4b1f-b095-d5db2b65adb8,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fbc6c0e-5e05-40a3-a3d6-093608ed01b0,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d1339eb-1253-465d-8bfa-327e2b697a2d,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02af550b-9d13-4d9e-baf8-83c99f5b3064,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64cae743-708b-4941-87bf-7252dcc5411c,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f42dda5-7c4e-4f39-8901-80ec4bc49182,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12f807b7-8a3f-4a96-b41c-d9f21cc1585c,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad382925-f724-4cc6-a172-35bfa1f6fce6,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8b2dd96-bcc7-4128-a6a1-73ec6ea6017c,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6d11077-cfb6-4225-aa3b-c671d37db2cd,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06ecad99-231b-46e3-b328-0503f9e09973,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a5a307-51b1-4f0e-b688-bfe21fd53196,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af58041-d108-418a-95b8-ef37269de5bc,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19519de8-a222-4576-be33-599defc4aba7,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e38b5a66-5f9b-49c7-a773-916b8a3cbef4,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44dd7b6b-3f2a-4c1a-a945-e8d2507f924a,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0ba94aa-f1c6-4250-94c1-8e0dfcaa5a58,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,790b3e27-554c-4993-8163-0b4bf5e484f0,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0fad2c7-5de8-4218-b23b-b4b8b2508dd0,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6d6291c-4b23-4b8d-b967-0bda65885baa,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04b2f37a-b282-4cf2-8788-b42e56e7f47a,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc895e72-a6b0-4c4d-9316-27c46d3f0b2e,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d12232f-df6a-4980-90a4-3afb083281c1,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b127c27-92af-4047-8d5b-46f385f1d904,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2b8a793-6196-477a-8205-855211460030,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e52a4bd2-2eb1-46e2-848e-fe6a1e730440,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,888d0db3-2202-45b0-84d5-fb9e9c722a50,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6dc7c687-7b8a-4a9c-b4f4-0e3388932fe3,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40a23e28-ebf9-4ffc-a4eb-4d0a7590e666,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66fda418-56c9-4330-9c4e-4a54bb482112,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e84cb1-3588-46ea-914b-9ebbb0fa7c25,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13c0d1c1-03fb-424f-8768-c23f9defcc5d,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27b9af0f-b0a5-45e7-bdc1-0d894f1753eb,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\VAHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cca776da-7af9-40a8-9540-a6a48e0417ae,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9d4688-ac1f-49b7-a9b1-5a37ce2facd4,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71239f63-8cd5-4bca-93fd-6d2bb93c581e,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b77a9525-d783-48fc-8db8-a391cecdd094,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,506b4018-923e-4ef2-917a-b8f534cb9847,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\SAGEHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33e87199-aa14-42b1-8976-d74d8eb432fc,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3961f5d-16ad-451f-b530-b0c0f5f85af3,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd27552c-568b-406a-bf83-718a2f3895d8,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80e802d6-5661-4d59-bb0f-10bdd5b0a887,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae117e56-e287-4436-a28a-a2b45ba70ccd,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b662028e-9f76-475d-a780-f9fb8011af06,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1548ce0b-f5cf-4fa0-8eaf-d9e48be8ac28,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19f94a71-d9b0-4224-b13d-90f62483759c,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f457ab94-e358-4361-b4df-688c072a6785,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9293e137-584b-4335-8441-86b80325d4b2,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77e588df-016f-4cd6-9099-88e16f0440c1,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e670967c-c41f-4217-b0a6-3a67cdf74497,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8204ee9-f3e5-4ffc-825e-59245f7e0934,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ebe239e-98a2-4919-88b8-aaef182fe269,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0db2f93-dc81-42dc-86d5-687bc4e9c104,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,614e5727-f37f-4a41-bbe5-bc2402d706d0,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f712610b-5267-42f2-8475-6f04bd5c678d,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f3492d-0b9b-4a4f-a169-f19793ddb559,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03a50de1-17e2-413b-ab98-3dae20e562eb,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dcb6cbe-b53f-49d1-98c4-6aebd47de15a,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffdfe851-aa10-4128-8f88-8c227b6ed503,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d4f3368-3d7a-4cf8-9af5-07039866deff,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e179981b-3b9d-4dfd-84ba-7c61221cda9b,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,907c168c-a7af-4a4e-8169-b1bf7642abef,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d98c9f-08ce-424f-bd29-90773e2ff6d4,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a817ec27-6119-4887-8a77-814504040e4b,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,004c652f-9550-49b2-99b7-1447d7efe007,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7fc9784-acd2-467e-afb2-0cf1e4c564a0,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,556abec8-e16a-4463-8689-a8f740b7e42a,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b88d485-256a-4fc2-b6d7-9a3f1be3cb65,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,023de070-175b-4b3f-95c3-ce62a5cb6982,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baee2454-1f8c-4230-b747-a4c71cc421b0,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17f6db24-387e-45a5-92b7-05467c1e1ea4,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dfee95eb-4c4a-46ce-9e70-5103f2b37f2b,"4/16/2021, 8:38:48.416 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c0ff5bcc-9a53-4a34-b997-86a28b8c33be,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8905b998-8683-46fc-85d1-563eb21f91b3,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,edfbd085-4e9a-4992-a453-548e84b04c99,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a12051b2-25b0-4667-b697-ae649f92fb22,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c9c0ab44-4dcd-4742-b656-8877fae7a895,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6304 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b6bc3a29-937c-491d-ac33-4c90dd9486d6,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11384 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3b5dcc37-8073-4c9e-9333-b48b658c1cc0,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10064 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,048bbca9-f1f9-443f-a366-3a54600341c8,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1cc3a834-e358-418f-9c01-4f6c27dd7571,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3c5fb5e3-15f0-409c-815e-d840afef9ce6,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3180 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6917ea74-3c71-46a2-886f-9cd1c6307f44,"4/16/2021, 8:38:56.982 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14580 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,51ad9381-b925-428c-98fe-bd3236683ece,"4/16/2021, 8:38:56.982 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9959bfe5-674c-4e70-b944-a4ef6f60077e,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71189b2b-1f91-4fb8-ae6f-0f2e847c6135,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69601a92-5fa0-494d-8cd7-e7e1ad78e6c5,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbfa77da-2f93-498e-b86a-be8962992d3d,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6df37e58-6505-4f98-8f12-a8b240b55a18,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35a9aec7-1466-4c60-b707-ef1c5acb446f,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcdff928-8ed4-4484-a464-c884a98ac163,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63240398-e2ff-4f5f-82c6-77f7e1a9240f,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e74084a-da3e-4890-a166-ea516d98bb4a,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c616ffcd-50be-4dd2-a0b9-6b62848d0d27,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b6b4cb-6a60-4946-ac22-a8a70fc1f431,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7bc571c-4e7e-4d25-845c-60b2e528746b,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b8b2666-bd91-4f3f-b41c-84c8d1f60bce,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,266f698a-fb72-437a-aecb-3e841fc3f72e,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82b29d29-bfe7-4cb9-a4d3-ab7052232c3d,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,270fb220-e73e-4f73-a426-49e0e330f54f,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,540c5d37-6455-49b1-891f-a801fe4812fb,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc9c0e2e-00e1-4673-98a3-43c01871160c,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42b8efb-3e26-4be8-896b-d16d636fcb19,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9feb30bc-7b38-4dd0-afaa-dbc45c2ccebe,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b48414a-6352-47d2-8d9e-f974b9cfa329,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd206a77-ce74-4872-92f8-d18f5b25ca28,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,725ca498-4bd8-413d-9a76-69118fedc8c4,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93943148-593b-4272-b871-1ddf8c074e2a,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ab85046-03d2-4ba6-bdae-e99fcba8556e,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c7bd638-ef29-45b1-8f07-ae15d83f68c5,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aecef72a-c1dc-4743-99eb-483333f29808,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b89e247a-d2b1-4089-8548-9aeac333f6ee,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,792a629d-6756-4ad4-819b-458d2db87a5d,"4/16/2021, 8:39:03.064 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4715613d-a22c-41ff-83fc-62b67185de60,"4/16/2021, 8:39:03.064 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a7940ea9-885f-465b-acae-a36e6b65d383,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7f66e813-f673-4d75-aa30-0ea6789e9117,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c222112-cf56-4956-b444-c304d3167ca4,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,d743f451-f71e-4c2b-9258-5e89b3449d8c,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f8afacc7-9282-42a3-bcd2-c812e0ab8b05,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5e9b87f8-82ba-41c1-a16a-5d870888489c,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c26c8824-95cc-40b0-a22e-a4127a560968,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,38382f13-d303-4647-a4d4-af2656ca30b6,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc7b367d-6ace-481f-8d5c-d8959d721f2a,"4/16/2021, 8:39:05.606 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b558393-e20f-46f0-b971-f35ac64c6853,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d911c811-e375-4833-934f-cf42a7271c34,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83c1f866-fe81-4375-b57d-2878d77e55d6,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,754942e5-9808-4897-abb2-7c93889c5d30,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32eacf60-6fc4-44a8-978c-584041b9b577,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68e1d764-df14-4f39-a086-6c1def485bf9,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0295a219-eb95-4b1f-af01-335e3ae6048e,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd42bec8-33d2-4d14-8546-aec63f42d970,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f905711-50b9-46a4-8470-350a40468be8,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3091929-1041-4334-9bf9-3f77447543b8,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac304b9d-88c9-423d-8680-319935adf8f2,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c01ca9d-032b-4700-bd18-f6a89acb4696,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20dfbaa3-0728-412a-abca-e0a3224006e3,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed99ff7a-7d07-4826-bf12-cdb3be91be1e,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7334dbd9-de9c-43a9-9df2-3e1d25444029,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c8fc120-9463-4059-8a44-49db744367d1,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a41016ad-490a-4d04-ba79-b0f63f17ab96,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa3edbda-ca43-4e8d-aa0d-77a0b7049e59,"4/16/2021, 8:39:05.606 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,791ce1e3-3e59-4c34-b790-855a8c4ddaf3,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d453888-13a1-4bad-b914-d77a30f07a9e,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51cd1e5d-266d-4dca-a029-c04563aa6d93,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d42b8dd-57d6-442d-bdd3-0a5cc35b2039,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d8590ca-e2a1-4cf7-91c9-0113e2984581,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e6e1dda-fd0e-4505-bebd-e3ea88b63bd8,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0eb59c6-be37-41d5-a6d1-3dbd332b0980,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bfcf911-f167-49b3-bb8c-9b522c0fb57c,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb54ece-e904-4a89-b029-79e1e654bd82,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7f426c-b5d5-4611-a15b-deedc881f19e,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba215d0-60f6-4353-83a2-3bff21be0c4b,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc631be1-e33d-498e-8f93-f2cdad09ea1a,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa1ac161-5808-4168-972f-daa51760f480,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37e4711f-6577-47eb-bfa2-1ce5a28188c7,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,973104c2-f6ea-4945-b04f-eae4242d0ad5,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5a2c285-3254-4267-8d16-221594f056ad,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb934bb-735f-4984-9322-ba4e9f8f84a9,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e04e1541-d5cd-4de2-95a8-4a53dc454710,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ec3bbe-10ef-4a55-a705-93178fb5cb53,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00f56008-6a21-4509-a1b8-10c5216f42c5,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b85a166-eb54-4b69-9419-8dc34564f7de,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76780f9c-2241-410d-a4f2-d7c62d56e8ae,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b0f06f2-17e1-4a28-a284-2e0fad595549,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d324e91f-db8c-48be-9dd6-46a051592c22,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0abf8f0b-9fab-4f67-a0b3-4787393973d1,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b8e69a5-1907-493f-ba2e-c1d7c09bd7e9,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08b4b076-9d24-4036-b372-3650ff312535,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae260685-98fe-4ef6-8e3e-6fb064a86235,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d43d321-6e9f-4109-ad38-7fa261e44e08,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\AFFILIATE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90fdfbc6-d23d-4dfa-b865-3c1415166c6d,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdcee209-f63a-4280-80ca-4477ea2a0e02,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1710bad-7d43-4c26-a122-c1991fb0eba4,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e2b9b2b-9724-4418-89c9-3583e0499970,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,195f7d7a-ef63-4fe4-93c5-950267640ddd,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbe7678a-8d1e-4926-86d1-0b46d67ff27f,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9da4141-b90c-4f4e-b58e-c742abcc7a0d,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0db37e65-69c3-41e7-8303-7db1b1a390a3,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5da56883-5c29-4fa5-85f3-6d1aac98b35f,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f4a3243-26bc-402f-85c5-172545f0c01e,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1559419-1deb-41b2-8a8e-fa0faa97d3c4,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa35c8ac-b37e-43c4-92ce-65358f526c40,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75654026-c48b-4778-93dd-ec700d5ce0a8,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d04f0e9-8bb9-4f09-add7-b9829b45ff2e,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86ee3c17-55aa-4994-8ad2-7998a27d4f5b,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7dec993-fb4f-4f7c-86c1-ede03c014182,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdd7da74-1607-466c-929a-71f622bb9782,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bbe16a0-aaa8-4e8d-800b-109e236795c2,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f01a42c8-3d97-4864-9642-ef6da5787f47,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8a100b6-1e51-48a3-8c2f-de26195e5b5c,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5985508b-71df-4118-8271-ccc890e6a31f,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc179440-625e-42af-b6c8-7caac76a90ff,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9272c803-be10-4339-9357-15cdf87553ab,"4/16/2021, 8:39:26.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39c88a3f-6035-4a75-9648-b9b97ee0f526,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b375c1-8726-49d4-a90a-2e1ad90b1da5,"4/16/2021, 8:39:26.119 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8352 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8974806b-6af4-4a7c-bbdb-53264a022950,"4/16/2021, 8:39:26.119 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b10ae0-6424-4871-991f-84d14d7ac811,"4/16/2021, 8:39:26.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23eef104-02c2-4ace-a40b-313d0236c2ca,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06b15149-4e8a-4c69-b7a1-6d4afffc7d5f,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d87981f-1cbd-4cea-a3ff-0f5bed4f456c,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4803d4c-e7e0-4476-b9c6-620acd47123b,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90fbc275-4333-46a1-bb4c-1e42afc30fdf,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6189efd-deff-4287-9aa2-e2e9aaacdcbb,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7309cc50-819d-4b1a-b59e-ad5ece4934e3,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf68996-2d44-4bf7-bc4c-966344a9f669,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5b9351-82ee-4445-8982-3517e5a7ed65,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca15b770-2c2a-4c44-ace8-6b409cb1d88e,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f21a4a8-6067-4312-94db-a3870c5265d7,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1c56201-1ea1-43aa-a652-0afbe643fff0,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92e48922-356c-408b-bf5d-d832a4cfe976,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bea56f1-3b9c-4247-8f70-a563ff213db5,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f46848ca-476c-461b-acb9-cf7aadd3bbac,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed4b403-8845-474d-b71f-94d83dc52119,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9eada7d-6739-41b1-b39b-57b5f4583452,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95fd52f5-cfef-442c-9cce-c799f5601cb0,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fc461f9-5d0b-47c6-a254-66bac1ff12c2,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42e25b47-35f4-4e72-87ad-a5a40d60e152,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80401d27-e6d6-4b13-9281-50f8f6c6fee1,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d17e2c72-f3c4-42a1-a754-f65034014414,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab182b2e-a8ba-450e-a8a0-5e48670de52b,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49339450-c164-4678-ac37-ddb533b9d8e5,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fdf9d27-fd95-4e42-8ba8-2ca840283e0c,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac4fabf6-9f30-4533-a788-b3bfdc37d865,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1913e640-abb9-4028-bea6-6f2b23908dc0,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e24fbcd8-9ffb-4683-82de-99b2b9e212eb,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc726843-bc28-4e11-a0e8-e86156f0cfef,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d84f2cf-733b-449e-9a93-5be9a57c475f,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d68d2804-0bc5-4d19-b6fe-7f8ffbc3e9ba,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,3e80207a-2461-4599-a143-3883346d67df,"4/16/2021, 8:39:34.098 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,477beb72-172d-4066-a0f0-5fdc2fd5393d,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73e7e427-6300-444e-ab26-387a0ff2c8fe,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55bf2e77-a0a7-452b-a89d-4c0f9e737fd5,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f22efaa4-fee1-4be9-aeea-3c8b995d03b0,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fbe3948-2cfa-4f8e-8776-ad0591c52ad8,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df9c8c3-1f8e-497a-b195-dcbc4265c52b,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,787398f0-74b2-4a0d-a3ec-f17a1c684b5b,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83992d29-0717-4ddc-9d76-6fc6c7f2e893,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dc4fe91-4c6a-426b-9e56-fe52f07d3fec,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec9c62b-ee14-47a6-af5f-a6c3a7285ff6,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,acda7b1a-c9a1-45fd-a955-7d235f71b6b3,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,07817bea-1e17-4827-ada8-9356f7dc651f,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a501083f-0b1e-4576-99a8-3177d5334ce9,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e01c4fe9-53bf-420d-bd7e-1d739a254e0f,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3721237e-2ee2-4ec1-af0f-0229e9118032,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9db692e8-d6a1-4932-b8a3-7ee4f0c94965,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,81ec656a-e82b-457a-97e4-bac589d84491,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80dabc4a-0f33-43f1-a899-5122459bf56e,"4/16/2021, 8:39:36.043 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a0a7e0ac-f4f9-4294-a75c-a753ee90f8cf,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4352 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f8f31b38-aea3-4bd3-8fa9-5525af556f02,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9332 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,88163cc1-55fb-4bd5-812c-14c9b3c8af39,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e79fe8c5-7bfb-4c0c-b5e2-a5525ff8970e,"4/16/2021, 8:39:37.528 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d57957d2-b732-40fc-b257-e1aaf9867e2d,"4/16/2021, 8:39:37.528 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,eadb3a17-cae5-4420-8f39-5d6624ac084f,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9ea30dbb-30e0-4deb-b12b-9d817d513c38,"4/16/2021, 8:39:37.528 AM","%%5649 ",0x2,-,-,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4151bbf3-1a96-4648-82e8-fbc8c1971a66,"4/16/2021, 8:39:37.528 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,476bc789-28ae-42df-8a90-a6178a2d014e,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9836 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fdfbf556-2868-417c-8943-1f96336ca40c,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc38c824-08dd-48c6-8251-6a54912ca541,"4/16/2021, 8:39:37.528 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51825c59-e034-4ed6-9cd0-b3642749392b,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,187c9d11-1e73-4a0b-a7d6-042d1f42f2b8,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78f99ad-7dcb-4881-a8e4-864a53a245c4,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0f78bfb-32be-4f22-a459-429223a4d463,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f86f6c4-a145-4f4c-9a3f-bf7df8ec7542,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c66efa39-b7b1-4e94-b942-411148fb5bf0,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cecb4261-5796-4539-9485-0e8dd8506d5b,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8a9f817-49bb-4e6b-82d7-027948f6eecc,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45874f49-ef9a-4ef9-8079-0fee99cebe6a,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1fe5f1c-fab2-40f8-b750-233564de3666,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e79f8d2-146d-4d8d-8e27-b8fef91af887,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c5ab1fb-1681-4d17-979d-63f1e102a617,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a4c1e6-6553-41af-a177-7550b5404a9a,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab611a90-9fc3-46c0-b86f-3b1b1267a056,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa195f30-cb30-4139-9735-5d76a66c24df,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56f1746b-e4fd-4367-b784-ef9d2dd5ddb0,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac01f3c-cc5e-4390-8667-2bfb41ceaf49,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d617fa-6f4a-4810-b00b-6f5052de0141,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fecead30-1c6f-4603-9a28-8151e9057f68,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d9fea4d-37dd-4853-9524-f49e6b53a85f,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92af06bb-304b-4466-af4a-4cd4c540f684,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,906760cd-ecff-4541-bbe0-6f211b621efa,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8be23819-b1d3-4b1b-8ce3-b08062aef515,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b19c4f-10aa-4f77-91a7-04383c433b63,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f2e365d-be6d-47f6-a28a-1026047a4839,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c475217f-6d04-4f20-a6fa-371ce7251d0f,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a865b653-0da6-4f56-a0bd-05db1c4bae07,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1b294c4-da20-4a72-835f-4c7201f9df4c,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,769789bd-8191-44dd-9daf-91be8ed4615d,"4/16/2021, 8:39:44.907 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df6f5eee-1186-4d47-a9a7-5cdceb3fbf55,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,378574f6-ce96-4afd-9a9f-729cb714aaca,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcd1111c-b422-4dbd-b005-e57cf430da45,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c186791b-f3b0-4e90-8ee9-a3dd7edd6ba4,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f0bab92-e1ad-4ad0-8431-fbf089f89919,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b4af564-00b7-4806-a241-2a32c888e667,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17dfd2d4-3c41-4665-8454-530a6f3a0d81,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c96b8772-0afd-4740-8f69-55561200a731,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0007667c-feac-4198-9ed3-98c550729d28,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12d03fd8-7843-4969-8fdc-73ca91cf974f,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d0a448a-28bd-404b-be9c-4c5fc6494cb7,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d0ec4c1-14d7-4c1a-a01e-5799fdfc494d,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15d3d5c7-4d5a-496c-81e2-62fbb2455cb6,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91e5ecbc-9037-4bf8-96fb-6b700a967ab8,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc643c66-9d4d-4a24-a32e-8bdace38d054,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a40ed5fd-32bf-4743-b56c-e4b2d64c0d85,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,691b041c-6200-448f-af0f-0f805b896d9e,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46e7a588-04e4-47aa-9614-a3d572bd97d8,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7fde453-69cf-4f93-8fb9-b76ad5695b64,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b0ebb3c-d1d7-4bb8-953f-af151f465a38,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8540b17-e31c-4207-a96f-e7aa80d34311,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,183a5380-3a4f-4ace-ad73-decc13576c9d,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8851eeac-2d37-4b94-a6e2-74aa53a38f0d,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d2a647-c70e-4678-bcdb-459964ccc9c6,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1595368-b242-4608-b538-5b53a009bdff,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,567c0587-0eac-40eb-a0a8-5560b126f07c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,005048fc-ebad-4094-80ee-69f3670d636b,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99eafee6-4ddf-4505-bbd9-c744bb098790,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d69d84e1-c5cd-40ab-8615-735bf14f0235,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e9828ad-277d-4219-9a65-d433e9691ff1,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e2e39ac-02b3-40bf-8bbf-251548db28df,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e078205-f52b-434b-b15c-0bf05e90436c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca1f9df-ebe5-4727-b4ee-da3d3789268c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb021acf-7331-4fe6-8b87-ff78894284fa,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7865c36-50f6-4601-9397-70350a29cb31,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5bd5628-b617-4aea-87ec-57b2bb0372b3,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d08fb2d-f645-4dab-80d1-e214980c76a0,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8d9857-9f05-4d60-99b0-394b8b285bbe,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c47aa2bc-3f6c-4087-8370-28439e738a9b,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c502bfa6-db78-4b20-98e5-f87b13a8e03b,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57163e6c-951c-4326-91b1-129abe05bced,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,358ca4df-2159-4381-b636-ba8c7771ac5c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12503fbd-1671-48a3-94e2-53ce688c96fe,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7484e722-cdff-4ce5-a8b9-9571f29c1014,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d3cafc-5822-4d86-af4e-f3debb5f03b0,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34c02741-b515-4be0-adc3-434126279499,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aabdc6c-ee72-4028-9596-7f65a1cdd241,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f3ee33-1603-4b21-afec-fc76081ba2e8,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9792 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a112a5fd-7390-4945-ab3e-5fbb685de016,"4/16/2021, 8:39:49.931 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,954b4de2-fa93-4737-b3ff-8fc55e572ff2,"4/16/2021, 8:39:49.931 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1379ca70-5df7-49fc-ae06-15fcf936efbb,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe3991fc-778e-4688-846a-f8a28432b875,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e04ca7c-c6b5-4cf5-a79a-914ca9386428,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e08a307-a126-4702-9d0e-e08146ac309a,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974b8108-f230-4d3d-97f2-f1a2ba432932,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c408361-5c13-49a6-baa2-e6018cd18fd5,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60e53f2d-c001-4a61-b1bf-eb1b075e250f,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2187edc-c2ee-43eb-b3ad-8585d94819ee,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84576e11-ca0c-4f29-95a0-b2cb7c7cd225,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb21fdc4-3cdf-4208-8045-4d8df67b518b,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d03f01-01f8-4e60-a151-c6e73168c7fd,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c7087fe-9770-4017-a419-6c22e71b5f6b,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aceec76-4d80-48c8-a4dd-54836288c45e,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\MASTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd3c7e19-1b8c-4156-b273-0882405eb528,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02198142-ad11-48bc-8708-be8ce5546820,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52f88d61-3def-49fe-b951-a6fd79f76faf,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3ed499c-5639-4f52-ab07-573457aa6e65,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,120d9269-8815-4512-a27f-6a5fd46e1575,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fdbd176-1bed-41fd-8df4-fb6b246db37e,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94650bce-c125-4ec4-9368-37d3130b9d4b,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2895a142-0cd1-44ae-b386-e17ba0a773dc,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86763712-117f-4521-9970-d5b3e8d379c8,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ff603c0-9d66-4ca2-b039-d2d10ba0ef09,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,db5653d9-0963-4000-8625-15f2d6af82ec,"4/16/2021, 8:40:08.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1612 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d8d61b88-0b59-4dd6-be46-47eaaddb4f25,"4/16/2021, 8:40:08.573 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,cc315235-7414-49b1-9b1d-9152b0b6b4b0,"4/16/2021, 8:40:08.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6852 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6fb429fb-167b-4c99-b12b-e3b57d492677,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,9f2ade53-7f90-43d4-a039-198314e62b68,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,0cd26feb-fd4b-4812-a2e1-009f8e48049c,"4/16/2021, 8:40:08.573 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x40b9c93 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,9b011052-71ac-4bd4-b02e-144f2cd7eaa5,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,69f059bf-e9d8-4725-bef0-22f8e5f3548c,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,43f65156-5307-4ef2-b2ac-19b32ab296ee,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,13e360d8-8335-4a76-9c22-3961b4b31194,"4/16/2021, 8:40:08.573 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e535e5f-7cd4-4d07-a2e8-8f67d92bd947,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f926331e-1b80-409c-8899-fbeee1918ef5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e94181e2-1380-4229-98ce-721a02ded02a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d811e9-3388-408a-ae92-279f5674c545,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d13cdb6-074c-4e9b-959d-2436dfc369b5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b28d2250-0848-45cf-abe4-526430e7011c,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b5f3488-f2d5-4ba3-8243-b41e974cd698,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,152022f8-ad37-44ff-91ec-c4f9eeccced9,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40fac49c-33ca-47a6-9ff3-4bb6475cc8f5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10ea3e86-a1cd-4598-b408-13c59db307f1,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d3cfcf2-9619-47e2-8357-2367d648d686,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13c58fe3-0fad-4684-b7c8-344fa394a78f,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b7e5a4c-8340-454a-8802-a7b8897744d7,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53a088dd-d2c6-4895-bb06-22fe6a7d63e6,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cade4460-920f-4efa-8fb1-48b2379d0fe5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,316dde07-10c1-415c-bbd6-4052ed45e2e1,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a06b86-fa5c-469a-b56d-3726c35dccd8,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b70786-2dfc-4b90-af66-8ba0bb00e9c3,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e03eeb4a-7b66-4631-a12f-3472d3217a4a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f77ed80a-6d73-4c0c-99e9-ef9c678f51f5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd22748e-dd39-4290-91e9-fc7b3a1b2766,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00895178-e972-410e-b581-3f285a8e24e1,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d910f83e-6617-4f09-a4df-b95d96c87a4a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f331820-5bf3-4a55-a0e7-da25a4eb85ae,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9f39c7b-49c9-4e2f-ad3b-01799066533d,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61951e40-cd48-49aa-ab9a-911f77d12843,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d458513-86b4-4d09-9ae9-bf50fb6c9348,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42e9f89-99c2-40d3-afd7-5f7b9cb4e17a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e9edbe5-03fb-4b15-a167-c0dae7d89d79,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,555763dd-f14f-4695-9408-a93053f71e37,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30a28a79-9b42-4ed4-9b83-25dcd7b0448f,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\MJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acbd663f-b8dc-4a88-877d-51133d766b35,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3aef041a-152c-479a-910d-eff4891a5bdf,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,144595cd-7a4b-457b-bdfa-53f70cc70018,"4/16/2021, 8:40:15.598 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a22d1d8-b20e-4e43-9bef-fe968e432c53,"4/16/2021, 8:40:15.598 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ffe9a38-cae1-42a5-abbb-581cba881460,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1595b507-b18a-47ed-8535-10df3daef4ac,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6df68d7-6ddc-42eb-b777-5ca3d4954c40,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,724e2cd1-b357-48dc-b106-d516e0989c79,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fc2c2a4-837a-4712-a834-505bfbd38944,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f3b3588-ae5e-4e57-9c59-cf7b083e0e08,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60a10a66-00fc-4d6e-a056-dea2f83a76ae,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6af153c3-ccb9-4429-ad2f-6d0b790f57c2,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f0ed9c5-1fcb-4538-89fa-2a0348c981cd,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e38f127f-256d-4999-a5c8-c4d67fc37c51,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64bff3ae-be2f-4330-b4cb-3a792eca7fed,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a818efb-00fc-4264-897e-b5b1534a30a4,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b491088-45bb-4592-88e4-e7c1a4f36048,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3b48069-d880-42b6-bf37-b1118d828fa6,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c861ae1a-ea86-496c-a2b8-1c8900707a4f,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b1f3648-5749-4866-a787-a255a8316259,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3629fafa-3de9-4252-ba15-6ab5e4b0b2d7,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67e785b2-a53a-4608-b469-9486ef1bff1d,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fadfadab-261f-4113-9474-f1d5253d82d8,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4bbe42e-a764-44f5-aeeb-27e7add1441a,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb378675-316e-479e-9dae-89ab1c3ba815,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49503290-6ea2-4ec9-9021-757659cf2c56,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc8f3bf3-fef0-4745-acd8-aaff50fdee5c,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec85e93e-089e-47cf-ba73-e0f9d8cfe439,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944a87aa-7303-4d91-90c5-7da44070b6fc,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84f27864-634d-4589-ac03-988e66fbfc9e,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9f9e0d4-a975-4ad8-8617-f7aef90f605d,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b05a8d3-c461-4b31-ba8e-844c8813d475,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f4be854-18a4-4159-8311-2ea82dbbca99,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cd0cf8d-1366-4cdf-a36e-34e806b25e25,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aba95a8-b8ac-490b-8bcc-b015bb8fefb2,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ac1d36e-e063-43e9-a076-167dc5ce7e0f,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a2c6b91-7bb2-43d5-a2b7-14a16940d59f,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,141602ae-eb9a-4ad9-a3f7-b06188f41ef1,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6850357-2b2b-4d9d-a8cd-bf4c12bfc588,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,756531ed-fa6d-48e0-ac02-ce975c23062a,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f39cf93b-0c76-4572-97eb-375d2e40772c,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,159761a9-6ec9-44d6-87c5-ceb171a13be9,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b711a839-574f-4906-9c38-0c837a7d710c,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65063537-3272-46c1-ad56-267062257cce,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33d88578-d386-4e9d-a943-e0f29a845793,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,624edc98-c21c-4925-8dcd-3e702953a69a,"4/16/2021, 8:40:25.110 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c484fa8-2bd8-4627-9861-5ca5d4b889a4,"4/16/2021, 8:40:25.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55183926-f0b4-49cc-8a1e-5bb1b4a08621,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1fff651-79dd-4b1c-9431-f8b9cc6d1c9a,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5188 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,50cfce3e-622b-45a8-b5eb-37c579f5e3a7,"4/16/2021, 8:40:25.110 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4532 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,41c9b122-c0da-41b3-af9f-f147eff4aca9,"4/16/2021, 8:40:25.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54e1100f-93da-4708-8515-d4a3dc8274fe,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9e231dc-d814-4ea4-a2d6-baf5b522f50f,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56251031-c69d-406e-a2bc-6c9c7f651f3e,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4903f44-a2f2-4869-8b08-c1076eb89850,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6130b7b-d428-4eeb-8be1-194287394949,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b54241-78a0-454e-b074-7d3896d4ab42,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef1a3f32-2a73-4ae1-bbf6-1b93b658853a,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaceb745-984c-4344-8e93-01a33de1f8f8,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919edfe7-55a9-439e-94a9-4ace96411bfb,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6eb5262-f2f5-414a-a094-4afe0cd51983,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d128321c-42ae-4452-a808-8430387c8ce0,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,671d9b98-bf7b-4ced-8817-d6d33b3b0301,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e225a6-693b-4a77-8936-7ab4b47bbb62,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,672deb6d-ebb0-49ae-a0a8-a607d123d82b,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a666f6-2aa8-477d-a2c3-3351a3138772,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16de15e1-0cd1-40d2-93b9-7753ac50e1e3,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,840b9ab7-8c69-4dba-91f5-6923cf4de1a5,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,068923b1-f9fb-46dd-b123-ed4065b9888b,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3967789-6f0f-40fe-b147-8e94a408d32f,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0f84cc-bbad-460f-a20e-b02d31eacaac,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec845f95-0411-4e9c-9c1f-da13840ef1de,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161d89e7-7cc2-4762-a284-a07fab7fb438,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f042aef-8893-41b8-8f91-d18185408318,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b332b0-e711-4ff2-b140-46906d264b61,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f88d0030-3a0e-4492-88c0-2b6618fe4ef9,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75234f8c-670d-4dfa-a342-490551e2c978,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3da800de-3ae2-460c-8f36-51afd0a8274d,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be70d15-1ebc-4be9-ab8a-4acf2eec7351,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,487eae3e-587e-4c86-9db8-e29179b1ada9,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f1bce3b-877a-4276-aed9-5ce4a334b584,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2f480c8-a9b5-45c3-97c3-d4ace653dd04,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ef1cba-c6b2-4d69-b940-6841ffbcb8cc,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,857d2d4c-a844-4010-8be2-5ed440a84587,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aa53327-57ce-49ef-8c0d-e04fc1e19548,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ff9e78-dd47-4374-868e-b5fa6861a815,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,072019a8-30ba-41b4-8fa8-1e83fce089ad,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11f687b-1a09-4f8d-9c55-cffea1b1339b,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79bf1322-1e21-4ae9-983f-1e523d05dd07,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e27f16b-7093-4653-87ed-c10efccefc63,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41169574-a231-4793-a448-63ce08dc3714,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f012effc-4de0-4943-a0f0-f0874812cf64,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f933f501-f77d-4c76-b9bb-056963522a76,"4/16/2021, 8:40:49.266 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9595c80a-f73d-4250-ad4a-f778705d5b85,"4/16/2021, 8:40:49.266 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c98f288d-5d02-49b7-b037-44e49cf75159,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cec28798-d7a4-4c52-9310-dcd50ab7242c,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7914734-c1a3-4f7b-9fb9-d97e3a10bfd7,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73a278db-43d6-4940-ada9-8aa5faa6f74d,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d183b088-f624-4b67-ae89-822d95e42a8c,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ed0147c-b371-47b1-a2c8-401824a7009a,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6f01a74-b379-4bd8-8ae2-91565df27258,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cc8aff9-8e86-4e87-9c96-ad7e3dc51199,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3d0c0be-7883-41c9-830a-131a49e8a0c7,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a7c1917-cd38-45f8-aeac-36d436da252b,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8afe0126-fa6a-4d0f-8afa-0bc221782df6,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98fcf06b-83b7-4517-b388-51a86c720840,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,618c8726-0491-42ae-aab9-18fd2677392d,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc081a66-0b74-4953-9af5-c3c1d22741de,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ed603ce-9637-4675-a22a-c9c9d599a260,"4/16/2021, 8:40:57.605 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c08cf3de-5fdb-49d2-ae32-470b9e9e70a3,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95fccafb-e9b2-41df-9d3d-234393d18b63,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7b121e2-9d6c-49df-be10-6321664396f8,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c6bae22-345f-4111-8ddf-b341d9ff505d,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\JACE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16fd803c-1ba7-4fc0-aa0f-d8cf8023d64e,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc18923e-37ef-4440-9f0c-c9a98cb934df,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6621bae-3292-4883-bcc3-e2c325d3b724,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf8b9495-cd93-45b6-bf38-f20f48e71aea,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b76399d-5b9c-4f65-84f5-6984e0612410,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd8e800b-523b-4307-95fa-b6e1c8b3acae,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b0a4b98a-c9cb-47d4-9a5e-72e594e00d49,"4/16/2021, 8:41:09.848 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,27593a79-8069-4433-acd3-73538528ea23,"4/16/2021, 8:41:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,418fc48f-ff88-4106-8b45-497715bdef68,"4/16/2021, 8:41:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2416 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4da9a3d7-4e9b-40f9-ba15-3d72c4e1d4b6,"4/16/2021, 8:41:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 3232 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,98a577e3-9425-4d73-8e90-9e72197a4623,"4/16/2021, 8:41:09.848 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4c323d5a-434c-470a-ac0d-bf8f5ce05bab,"4/16/2021, 8:41:09.848 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d166e4f4-e055-4ca3-ae3d-3b10f6547dbc,"4/16/2021, 8:41:09.848 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8df4147-cd04-47d4-bbf6-ef72059fdca9,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ee7cc65-cc2b-4c1f-8041-4ae9ccb85209,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,163bf292-2b5b-4cc2-990b-439c5fe3cd84,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af964f55-d47e-4422-9f8b-cd97b3ccb862,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b7fb202-c508-458b-907c-84837f7e9475,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dccb84d-22ff-4017-81da-0f8723b2792d,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,943be54b-2283-46dd-8643-f1120fd704a9,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a4886c3-6ef9-41a6-bfc0-c51be93c8608,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c0238ee-b4b0-4be6-a5d9-7576c235bcaf,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f58f617d-b56e-43ef-98fb-0852d8885076,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11edc34d-e673-442f-b246-1bd181b0571c,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e0e643-df77-4c45-a736-ed73d1bed3c0,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49027c91-8701-4124-9d97-60bb52748c02,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8819be9e-9f7d-452c-99e5-19be749c8919,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44a15147-a9fe-4c5a-8198-5ce04205ff8f,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5118d2d-f106-403b-89b5-200c47eabda1,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1e35a32-a818-43eb-9f49-9e2b46d29fca,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88d9baa1-b82d-4459-a378-4969da91fa27,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd3b448b-95b3-4821-b006-f2c13be15a95,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83b5ed13-1a59-4c89-961e-1a702e064ead,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87f73f24-3204-4c20-a12a-febef4fbf858,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d36b4ea7-50e8-47b9-8a0e-7db5140cdc9f,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, diff --git a/src/SecurityInsights/test/sampleData/SigninLogs.csv b/src/SecurityInsights/test/sampleData/SigninLogs.csv new file mode 100644 index 000000000000..e209b0d1d485 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/SigninLogs.csv @@ -0,0 +1,1233 @@ +TenantId,SourceSystem,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,AuthenticationRequirementPolicies,ClientAppUsed,ConditionalAccessPolicies,ConditionalAccessStatus,CreatedDateTime,DeviceDetail,IsInteractive,Id,IPAddress,IsRisky,LocationDetails,MfaDetail,NetworkLocationDetails,OriginalRequestId,ProcessingTimeInMilliseconds,RiskDetail,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ResourceIdentity,ServicePrincipalId,ServicePrincipalName,Status_dynamic,Status_string,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserId,UserPrincipalName,AADTenantId,UserType,FlaggedForReview,SignInIdentifier,SignInIdentifierType,ResourceTenantId,HomeTenantId,Type,IPAddressFromResourceProvider +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,f9ff9ee8-d565-478b-bc95-8b4f0d468fe1,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:08:45.2213421+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:08:45.221 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,cfb68155-70f5-4e28-b046-0a3a7086c401,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],cfb68155-70f5-4e28-b046-0a3a7086c401,3535,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,b374c020-b0b2-4295-a9da-74bdd31de68c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,O365 Suite UX,4345a7b9-9a63-4910-a426-35363201d503,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:27:54.8914298+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:27:54.891 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,ff7972e5-bd41-4c6a-9cc9-c34dc63e5701,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],ff7972e5-bd41-4c6a-9cc9-c34dc63e5701,1412,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,06910dc5-8e07-46a5-b53d-11c5ba4ed673,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:28:01.4357074+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:28:01.435 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,797afc36-b046-45b1-93bf-7d0b66357301,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],797afc36-b046-45b1-93bf-7d0b66357301,1289,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d948aa1d-9416-4d23-8383-3a4847bca5fc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:28:06.2490139+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:28:06.249 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b862bbd8-080c-47f4-8d77-b0c902505c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b862bbd8-080c-47f4-8d77-b0c902505c01,2174,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,e44aa2e9-3258-45a1-82bf-e4801f8003ac,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:28:06.921786+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:28:06.921 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b3b31048-1654-4f80-880e-d9f5dbfd6c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b3b31048-1654-4f80-880e-d9f5dbfd6c01,2657,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,e824715d-6d00-40f4-a54f-9b58b0184a1f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:06.986823+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:06.986 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,94a69790-5bb8-4d63-a81c-a87941bd5901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],94a69790-5bb8-4d63-a81c-a87941bd5901,2760,none,[],[],none,none,none,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d8c36749-e8be-488f-b32b-316361ca724b,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:07.9702173+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:07.970 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,e66745a9-0ef9-41ca-9b8c-0d96e3936101,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],e66745a9-0ef9-41ca-9b8c-0d96e3936101,1899,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,16000,None,Other,0,efb0c29f-204d-c000-3135-7a444b8eddbc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:08.3569132+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:29:08.356 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,d8acd976-4765-4bb7-805b-9d110f3d5a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],d8acd976-4765-4bb7-805b-9d110f3d5a01,2798,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":16000,""failureReason"":""Other""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50058,None,The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.,0,bf595f69-3dcc-4eef-b1c1-ba3cd8ba3de7,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:16.617982+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:16.617 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,dffdd8fc-a142-4ddd-8ced-0192613f6901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],dffdd8fc-a142-4ddd-8ced-0192613f6901,2131,none,[],[],none,none,none,,,,,"{""errorCode"":50058,""failureReason"":""The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,0107d864-473e-4a12-aa71-ae9aaba9e17a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:18.632758+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:18.632 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,4b6c9341-1536-4a63-9d00-107410a4b301,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],4b6c9341-1536-4a63-9d00-107410a4b301,1521,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,bf595f69-3dcc-4eef-b1c1-ba3cd8ba3de7,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:20.4954585+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:20.495 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,55fa18e9-2894-4513-b406-dd8d4213ce01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],55fa18e9-2894-4513-b406-dd8d4213ce01,1512,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,fd8a2a96-713c-430d-a539-7ba2d5cb2f50,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:22.1785431+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:22.178 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,176739db-9294-48a0-acc0-181be5e85c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],176739db-9294-48a0-acc0-181be5e85c01,1595,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,6eb62f3d-a8a6-4d54-bdbd-cbdea068764a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:22.3035428+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:22.303 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,176739db-9294-48a0-acc0-181bcce85c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],176739db-9294-48a0-acc0-181bcce85c01,2206,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3a3bd3b9-ed34-4fcd-8f03-b0329ad3e03f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:27.6146177+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:27.614 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,dffdd8fc-a142-4ddd-8ced-01925d416901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],dffdd8fc-a142-4ddd-8ced-01925d416901,2520,none,[],[],none,none,none,Microsoft Teams Services,cc15fd57-2c6c-4117-a88c-83b1d56b4bbe,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,1dec1606-e6bb-4a44-925d-b8838e8fd66a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:37.9210516+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:37.921 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b0d232a8-5128-4bd6-88df-fce04b4fab01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b0d232a8-5128-4bd6-88df-fce04b4fab01,4335,none,[],[],none,none,none,Microsoft Teams Chat Aggregator,b1379a75-ce5e-4fa3-80c6-89bb39bf646c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d9a6a740-e0e8-4e8e-8402-10780dc74b88,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:45.4525138+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:45.452 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,a73aac59-e4c4-4bd3-9fb4-43f4a95d5501,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],a73aac59-e4c4-4bd3-9fb4-43f4a95d5501,3619,none,[],[],none,none,none,Microsoft Teams Chat Aggregator,b1379a75-ce5e-4fa3-80c6-89bb39bf646c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,b4ba2a7e-6018-462c-bdb2-e14b885f5c02,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:51.1875385+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:51.187 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,a73aac59-e4c4-4bd3-9fb4-43f4715f5501,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],a73aac59-e4c4-4bd3-9fb4-43f4715f5501,1359,none,[],[],none,none,none,Skype Presence Service,1e70cd27-4707-4589-8ec5-9bd20c472a46,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,0e7158fb-3719-494b-a5c5-ec85b08e97d8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:53.7585097+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:53.758 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,ff7972e5-bd41-4c6a-9cc9-c34d24535701,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],ff7972e5-bd41-4c6a-9cc9-c34d24535701,1901,none,[],[],none,none,none,Microsoft Teams UIS,1996141e-2b07-4491-927a-5a024b335c78,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,6ebc0918-cd75-45b0-838e-e07d1f2cc43c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:54.2493636+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:54.249 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,e074940e-c3c9-4024-b8ba-61123d046101,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],e074940e-c3c9-4024-b8ba-61123d046101,2440,none,[],[],none,none,none,Microsoft Stream Service,2634dd23-5e5a-431c-81ca-11710d9079f4,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,91e29e5a-ed6e-4839-82be-490053ac2887,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:54.597063+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:54.597 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,56b911cf-6c72-4378-939e-4b0ce097df01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],56b911cf-6c72-4378-939e-4b0ce097df01,2072,none,[],[],none,none,none,Call Recorder,4580fd1d-e5a3-4f56-9ad1-aab0e3bf8f76,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3f6696ab-b05a-4876-97f3-13d5228e91a5,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:55.0850623+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:55.085 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,37c3b890-9870-401d-b04a-56736b79f201,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],37c3b890-9870-401d-b04a-56736b79f201,3057,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,a3228d58-c5ed-42c2-8b85-761f1287c9f2,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:56.0723166+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:56.072 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b6634b5b-7f20-4d5a-b3cf-aa86676b6501,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b6634b5b-7f20-4d5a-b3cf-aa86676b6501,2508,none,[],[],none,none,none,Microsoft People Cards Service,394866fc-eedb-4f01-8536-3ff84b16be2a,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,56ed29c5-6917-4055-8620-bfc55816c18e,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:57.0858832+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:57.085 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b862bbd8-080c-47f4-8d77-b0c990645c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b862bbd8-080c-47f4-8d77-b0c990645c01,2608,none,[],[],none,none,none,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,2c2e42dc-56ae-4d16-8628-042eb09c695a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:57.1495884+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:57.149 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,176739db-9294-48a0-acc0-181bc2ef5c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],176739db-9294-48a0-acc0-181bc2ef5c01,1504,none,[],[],none,none,none,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,1215b0f1-002d-4477-a11a-84987f46b85c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:57.305829+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:57.305 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,653bdf5c-6fe7-4ad4-811e-20634e1b6a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],653bdf5c-6fe7-4ad4-811e-20634e1b6a01,2783,none,[],[],none,none,none,Skype Presence Service,1e70cd27-4707-4589-8ec5-9bd20c472a46,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,efb0c29f-204d-c000-3135-7a444b8eddbc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:35.9521472+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:35.952 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,8d85a74e-93fe-4594-97f7-876efbc40b01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],8d85a74e-93fe-4594-97f7-876efbc40b01,2203,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,c56ef18a-e41c-46b8-a285-d8f3c49199a5,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:47.310088+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:47.310 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,58834cda-a6a2-4007-8252-32b4e0837001,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],58834cda-a6a2-4007-8252-32b4e0837001,1120,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,04477479-4aa6-4542-a258-5761968511f8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:48.3516037+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:48.351 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b0d232a8-5128-4bd6-88df-fce06c5cab01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b0d232a8-5128-4bd6-88df-fce06c5cab01,1095,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,04f42fdc-1d00-4b95-9b31-1166d4ddb635,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:52.6943411+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:52.694 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,12641949-1cf4-407a-a531-c393ff116301,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],12641949-1cf4-407a-a531-c393ff116301,2424,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,9b285867-fd65-4cfa-9bdf-824f7fbda845,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:58.6858053+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:58.685 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,16cb7198-6ee0-4379-b1b0-7403de445e01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],16cb7198-6ee0-4379-b1b0-7403de445e01,2625,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,16000,None,Other,0,3ab1c29f-40b7-b000-fad8-da0ec116fd4e,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:15.9922004+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:34:15.992 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,a915aa9e-a64f-487d-b932-b4cc07707901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],a915aa9e-a64f-487d-b932-b4cc07707901,2173,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":16000,""failureReason"":""Other""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3ab1c29f-40b7-b000-fad8-da0ec116fd4e,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:22.8418632+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:34:22.841 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,3b50929d-3d7e-420d-a2bf-cf81fe916a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],3b50929d-3d7e-420d-a2bf-cf81fe916a01,3578,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,a8646c2c-b407-483f-9f72-a5773ed415dd,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:33.6440378+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:34:33.644 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,709b386d-24a2-4296-96b5-00500ba3a600,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],709b386d-24a2-4296-96b5-00500ba3a600,2307,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,8200a6aa-9bb7-4203-9ccf-700dc2dcd6ea,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Maker SSO,17d5e35f-655b-4fb0-8ae6-86356e9a49f5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:34.9685566+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:34:34.968 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2107d03a-3e5f-48c3-a5a0-3f4cd3ddd601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2107d03a-3e5f-48c3-a5a0-3f4cd3ddd601,2673,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,5d05c054-9f28-4039-9eaa-5b26f09c4876,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:28.9378094+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:28.937 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,c860c04c-d26e-4585-8c58-75d2ed475f01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],c860c04c-d26e-4585-8c58-75d2ed475f01,1440,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,41310acc-65cb-47eb-a8f5-8da1265a9ffc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:32.4474314+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:32.447 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b186f209-1ad9-4bb6-ab5a-e76055c36601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b186f209-1ad9-4bb6-ab5a-e76055c36601,1499,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,cf229e41-ddd7-43d2-aca2-337c7ae23b52,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:36.8096788+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:36.809 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2107d03a-3e5f-48c3-a5a0-3f4c87ebd601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2107d03a-3e5f-48c3-a5a0-3f4c87ebd601,2415,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d2331948-f2d6-4e85-b7f7-4d9d1464d957,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,OfficeShredderWacClient,4d5c2d63-cf83-4365-853c-925fd1a64357,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:55.6937096+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:55.693 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,c860c04c-d26e-4585-8c58-75d2934d5f01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],c860c04c-d26e-4585-8c58-75d2934d5f01,1992,none,[],[],none,none,none,Office Shredding Service,b97b6bd4-a49f-4a0c-af18-af507d1da76c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,02645cdc-f374-4992-97ed-75e04bc4c042,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:57.0509704+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:57.050 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,3b50929d-3d7e-420d-a2bf-cf81e6a56a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],3b50929d-3d7e-420d-a2bf-cf81e6a56a01,2060,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,a8d5a402-e2a8-4bff-b3da-53ca1be11ea9,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Augmentation Loop SSO,2abdc806-e091-4495-9b10-b04d93c3f040,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:58.5188565+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:58.518 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,fe8dec05-e254-4652-aa7f-985ef9608601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],fe8dec05-e254-4652-aa7f-985ef9608601,2412,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,c4b2b4e6-121f-4c4f-8902-7b2a1f8beaee,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Search,a9b49b65-0a12-430b-9540-c80b3332c127,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:58.6853132+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:58.685 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,49a395a2-8493-4fee-8704-174795635601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],49a395a2-8493-4fee-8704-174795635601,2312,none,[],[],none,none,none,Office 365 Exchange Microservices,ec156f81-f23a-47bd-b16f-9fb2c66420f9,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,c6386b6e-23a0-4440-8f42-1efce8ff3e9f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Office Web Apps Service,67e3df25-268a-4324-a550-0de1c7f97287,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:59.3395699+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:35:59.339 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b882ace3-a884-4b6d-84df-3814190be801,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b882ace3-a884-4b6d-84df-3814190be801,1480,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,37163647-2330-4e87-a26f-653edb8c0139,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Loki SSO,b23dd4db-9142-4734-867f-3577f640ad0c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:00.2142411+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:00.214 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,afacfe98-266e-4dd4-9369-8ea4e32a5601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],afacfe98-266e-4dd4-9369-8ea4e32a5601,1990,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,faa6a22b-d84c-416e-81f3-96a538d10267,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Search,a9b49b65-0a12-430b-9540-c80b3332c127,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:12.6343777+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:12.634 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,fe8dec05-e254-4652-aa7f-985e76648601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],fe8dec05-e254-4652-aa7f-985e76648601,814,none,[],[],none,none,none,Office 365 Exchange Microservices,ec156f81-f23a-47bd-b16f-9fb2c66420f9,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,495c1c1c-b5b4-4b4f-91b3-251669bd7916,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,OfficeShredderWacClient,4d5c2d63-cf83-4365-853c-925fd1a64357,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:12.6393961+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:12.639 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,aa2a96c4-9354-4844-8a2e-1976a59c5601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],aa2a96c4-9354-4844-8a2e-1976a59c5601,1564,none,[],[],none,none,none,Office Shredding Service,b97b6bd4-a49f-4a0c-af18-af507d1da76c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,295a2dd1-1942-481e-bfb2-4b66337649bc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:13.5539212+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:13.553 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2107d03a-3e5f-48c3-a5a0-3f4cc3f3d601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2107d03a-3e5f-48c3-a5a0-3f4cc3f3d601,1817,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,e01a6b1f-7512-4bb7-8c14-3acd7e9b93f5,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Office Web Apps Service,67e3df25-268a-4324-a550-0de1c7f97287,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:14.2399026+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:36:14.239 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,7d6047e7-887c-49a7-aaec-324d59d44e01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],7d6047e7-887c-49a7-aaec-324d59d44e01,1323,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,04477479-4aa6-4542-a258-5761968511f8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:18.2700034+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:18.270 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2f862252-e535-476b-bb02-28a9acc44d01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2f862252-e535-476b-bb02-28a9acc44d01,3655,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,14a95855-aafa-419e-9bfd-c97bfca2a6b2,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:09.9182894+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:09.918 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b6634b5b-7f20-4d5a-b3cf-aa862c0b6601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b6634b5b-7f20-4d5a-b3cf-aa862c0b6601,1101,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3840fda1-3724-43aa-a8a4-1384fa522829,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,OfficeShredderWacClient,4d5c2d63-cf83-4365-853c-925fd1a64357,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:28.1635118+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:28.163 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,64c34e73-76fb-4592-a085-cd0998c55601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],64c34e73-76fb-4592-a085-cd0998c55601,1844,none,[],[],none,none,none,Office Shredding Service,b97b6bd4-a49f-4a0c-af18-af507d1da76c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,92673c97-3921-432f-8e84-f7f5abd18614,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T15:12:17.51751+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 3:12:17.517 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b0d232a8-5128-4bd6-88df-fce06531ad01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b0d232a8-5128-4bd6-88df-fce06531ad01,3583,none,[],[],none,none,none,Microsoft Teams - Teams And Channels Service,b55b276d-2b09-4ad2-8de5-f09cf24ffba9,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,8cf2d955-ee12-449e-b2dd-7b3fb409c7ce,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:06.3546015+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:06.354 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2c4b5942-7ac1-4ea3-9cd5-5048eee25d01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2c4b5942-7ac1-4ea3-9cd5-5048eee25d01,1016,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,93086ebb-8da5-4532-8167-17ed1bafb07f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:14.2055223+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:14.205 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2c4b5942-7ac1-4ea3-9cd5-50482de45d01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2c4b5942-7ac1-4ea3-9cd5-50482de45d01,1743,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,bfc779b1-8753-f3b8-339c-530c4489ec4c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:28.8068109+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:28.806 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,ff7972e5-bd41-4c6a-9cc9-c34ddbf35701,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],ff7972e5-bd41-4c6a-9cc9-c34ddbf35701,2737,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,0b0e6f7f-9df1-46a4-937a-95430e6bb9a8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Office Web Apps Service,67e3df25-268a-4324-a550-0de1c7f97287,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:30.4428603+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:44:30.442 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,fd9b62e9-8921-42c1-82ed-4cc85dfd6101,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],fd9b62e9-8921-42c1-82ed-4cc85dfd6101,1580,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,ebd36167-1c13-42e5-85a0-cca345ef71b2,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,SharePoint Online Web Client Extensibility,08e18876-6177-487e-b8b5-cf950c1e598c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T15:19:08.373733+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 3:19:08.373 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,3b50929d-3d7e-420d-a2bf-cf8189a36c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],3b50929d-3d7e-420d-a2bf-cf8189a36c01,2290,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:13:19.4834758+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,698711b3-cf4e-45f4-ae04-d4e340f06b00,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],698711b3-cf4e-45f4-ae04-d4e340f06b00,400,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:13:31.4214666+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,c31b2f10-59ed-4459-9d24-7e1c6efc5b00,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],c31b2f10-59ed-4459-9d24-7e1c6efc5b00,568,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:16:30.7197199+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,88627a19-54f9-4dba-97de-2caeb4896c00,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],88627a19-54f9-4dba-97de-2caeb4896c00,428,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:16:34.8773402+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,6d6b5c90-85c5-4e7d-ac80-50a7eb0e6900,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],6d6b5c90-85c5-4e7d-ac80-50a7eb0e6900,439,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, diff --git a/src/SecurityInsights/test/utils.ps1 b/src/SecurityInsights/test/utils.ps1 new file mode 100644 index 000000000000..124f3c377516 --- /dev/null +++ b/src/SecurityInsights/test/utils.ps1 @@ -0,0 +1,331 @@ +function RandomString([bool]$allChars, [int32]$len) { + if ($allChars) { + return -join ((33..126) | Get-Random -Count $len | % {[char]$_}) + } else { + return -join ((48..57) + (97..122) | Get-Random -Count $len | % {[char]$_}) + } +} +$env = @{} +if ($UsePreviousConfigForRecord) { + $previousEnv = Get-Content (Join-Path $PSScriptRoot 'env.json') | ConvertFrom-Json + $previousEnv.psobject.properties | Foreach-Object { $env[$_.Name] = $_.Value } +} +# Add script method called AddWithCache to $env, when useCache is set true, it will try to get the value from the $env first. +# example: $val = $env.AddWithCache('key', $val, $true) +$env | Add-Member -Type ScriptMethod -Value { param( [string]$key, [object]$val, [bool]$useCache) if ($this.Contains($key) -and $useCache) { return $this[$key] } else { $this[$key] = $val; return $val } } -Name 'AddWithCache' +function setupEnv() { + # Preload subscriptionId and tenant from context, which will be used in test + # as default. You could change them if needed. + $env.SubscriptionId = (Get-AzContext).Subscription.Id + $env.Tenant = (Get-AzContext).Tenant.Id + + #needed for custom api call + $Token = (Get-AzAccessToken).Token + $Header = @{ + Authorization="Bearer $Token" + Content='application/json' + } + + # Some constants + $constants = Get-Content .\test\constants.json | ConvertFrom-Json + $constants.psobject.Properties | ForEach-Object { $env[$_.Name] = $_.Value } + $TemplatePath = ".\test\deployment-templates" + $SampleDataPath = ".\test\sampleData" + + #Load common Functions + . (".\test\common.ps1") + + # Create the test group + $resourceGroupName = "aspstest" + (RandomString -allChars $false -len 6) + Write-Host "Start to create test resource group" $resourceGroupName + $null = $env.Add("resourceGroupName", $resourceGroupName) + New-AzResourceGroup -Name $resourceGroupName -Location $env.location + + # Create the Workspace+Sentinel + $workspaceName = "asptest" + (RandomString -allChars $false -len 6) + $newOnboardingStateWS = "asptest" + (RandomString -allChars $false -len 6) + $removeOnboardingStateWS = "asptest" + (RandomString -allChars $false -len 6) + Write-Host "Start to create test workspace" $workspaceName + $workspaceParams = Get-Content .\test\deployment-templates\workspace\template.parameters.json | ConvertFrom-Json + $workspaceParams.parameters.workspaceName.value = $workspaceName + $workspaceParams.parameters.newOnboardingStateWS.value = $newOnboardingStateWS + $workspaceParams.parameters.removeOnboardingStateWS.value = $removeOnboardingStateWS + set-content -Path .\test\deployment-templates\workspace\template.parameters.json -Value (ConvertTo-Json $workspaceParams) + $TemplateFile = (Get-ChildItem $TemplatePath\workspace\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\workspace\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Workspace -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add("workspaceName", $workspaceName) + $url = "https://management.azure.com/"+ ($result.Id) + "?api-version=2021-04-01" + $deployResult = Invoke-RestMethod -Uri $url -Method GET -headers $header + $null = $env.Add('workspaceId', ($deployResult.properties.outputs.workspaceId.value)) + #$null = $env.Add('workspaceKey', ($deployResult.properties.outputs.workspaceKey.value)) + $workspaceKey = ($deployResult.properties.outputs.workspaceKey.value) + $null = $env.Add('workspaceResourceId', ($deployResult.properties.outputs.workspaceResourceId.value)) + $null = $env.Add("newOnboardingStateWS", $newOnboardingStateWS) + $null = $env.Add("removeOnboardingStateWS", $removeOnboardingStateWS) + } + + + #Custom Log Import -> Create Analytic that triggers + Write-Host "Ingesting Sample Data" + $files = Get-ChildItem -Path $SampleDataPath -Filter *.csv + foreach($file in $Files){ + $fileToImport = $file.FullName + $tableName = ($file.Name).Replace('.csv','') + $status = SendToLogA -eventsTableName $tableName -EventsTableFile $fileToImport -CustomerId $env.workspaceId -SharedKey $workspaceKey + Write-Host "$TableName results: $status" + } + write-Host "Starting sleep to allow time for ingestion" + #Start-Sleep -Seconds 600 + Start-WaitForData 600 + + # Alert Rules that trigger off custom data. + Write-Host "Start to create test alert rules that trigger off custom data" + $solarigateRuleGuid = (New-Guid).Guid + $disabledRuleGuid = (New-Guid).Guid + $mlRuleGuid = (New-Guid).Guid + $alertRuleParams = Get-Content .\test\deployment-templates\customData\alertRules.parameters.json | ConvertFrom-Json + $alertRuleParams.parameters.solarigateRuleGuid.value = $solarigateRuleGuid + $alertRuleParams.parameters.disabledRuleGuid.value = $disabledRuleGuid + $alertRuleParams.parameters.mlRuleGuid.value = $mlRuleGuid + $alertRuleParams.parameters.workspaceName.value = $env.workspaceName + set-content -Path .\test\deployment-templates\customData\alertRules.parameters.json -Value (ConvertTo-Json $alertRuleParams) + $TemplateFile = (Get-ChildItem $TemplatePath\customData\alertRules.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\customData\alertRules.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name CustomData -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(("solarigateRuleGuid"), $solarigateRuleGuid) + $null = $env.Add(("disabledRuleGuid"), $disabledRuleGuid) + $null = $env.Add(("mlRuleGuid"), $mlRuleGuid) + } + + #Deploy Playbooks + Write-Host "Start to create test playbooks" + $TemplateFile = (Get-ChildItem $TemplatePath\playbooks\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\playbooks\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Playbooks -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $url = "https://management.azure.com/"+ ($result.Id) + "?api-version=2021-04-01" + $deployResult = Invoke-RestMethod -Uri $url -Method GET -headers $header + $null = $env.Add('Playbook1LogicAppResourceId', ($deployResult.properties.Outputs.Playbook1LogicAppResourceId.value)) + $null = $env.Add('Playbook1TriggerUrl', ($deployResult.properties.Outputs.Playbook1triggerUrl.value)) + $null = $env.Add('Playbook2LogicAppResourceId', ($deployResult.properties.Outputs.Playbook2LogicAppResourceId.value)) + $null = $env.Add('Playbook2TriggerUrl', ($deployResult.properties.Outputs.Playbook2triggerUrl.value)) + $null = $env.Add('Playbook3LogicAppResourceId', ($deployResult.properties.Outputs.Playbook3LogicAppResourceId.value)) + $null = $env.Add('Playbook3TriggerUrl', ($deployResult.properties.Outputs.Playbook3triggerUrl.value)) + $null = $env.Add('Playbook4LogicAppResourceId', ($deployResult.properties.Outputs.Playbook4LogicAppResourceId.value)) + $null = $env.Add('Playbook4TriggerUrl', ($deployResult.properties.Outputs.Playbook4triggerUrl.value)) + } + + + #Create Alert Rules + Write-Host "Start to create test alert rules" + Create-AlertRule -PSVerb Get -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb Remove -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb Update -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Create AlertRuleAction + Write-Host "Start to create test alert rule actions" + Create-AlertRuleAction -PSVerb Get -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb Remove -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb Update -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb UpdateViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + + #Service Principal needs to be in constants.json. + #Write-Host "Get Service Principal" + #$ClientID = '1950a258-227b-4e31-a9cf-717495945fc2' + #$Resource = "74658136-14ec-4630-ad9b-26e160ff0fc6" + #$uri = "https://login.microsoftonline.com/"+$env.Tenant+"/oauth2/devicecode" + #$DeviceCodeRequestParams = @{ + # Method = 'POST' + # Uri = $uri + # Body = @{ + # client_id = $ClientId + # resource = $Resource + # } + #} + #$DeviceCodeRequest = Invoke-RestMethod @DeviceCodeRequestParams + #Write-Host $DeviceCodeRequest.message -ForegroundColor Yellow + #write-host "You need to go login with the data above. script will continue in " + #start-sleep -Seconds 120 + #$uri = "https://login.microsoftonline.com/"+$env.Tenant+"/oauth2/token" + #$TokenRequestParams = @{ + # Method = 'POST' + # Uri = $uri + # Body = @{ + # grant_type = "urn:ietf:params:oauth:grant-type:device_code" + # code = $DeviceCodeRequest.device_code + # client_id = $ClientId + # } + #} + #$TokenRequest = Invoke-RestMethod @TokenRequestParams + #$appToken = $TokenRequest.access_token + + #$header = @{ + #'Authorization' = 'Bearer ' + $appToken + #'X-Requested-With'= 'XMLHttpRequest' + #'x-ms-client-request-id'= [guid]::NewGuid() + #'x-ms-correlation-id' = [guid]::NewGuid() + #} + #$body = @{"accountEnabled"=$null;"isAppVisible"=$null;"appListQuery"=1;"searchText"="Azure Security Insights";"top"=50;"loadLogo"=$false;"putCachedLogoUrlOnly"=$true;"nextLink"="";"usedFirstPartyAppIds"=$null;"__ko_mapping__"=@{"ignore"=@();"include"=@("_destroy");"copy"=@();"observe"=@();"mappedProperties"=@{"accountEnabled"=$true;"isAppVisible"=$true;"appListQuery"=$true;"searchText"=$true;"top"=$true;"loadLogo"=$true;"putCachedLogoUrlOnly"=$true;"nextLink"=$true;"usedFirstPartyAppIds"=$true};"copiedProperties"=@()}} + #$url = "https://main.iam.ad.ext.azure.com/api/ManagedApplications/List" + #$res = Invoke-RestMethod -Uri $url -Headers $header -Method POST -body ($body | convertto-Json) -ErrorAction Stop -ContentType "application/json" + #$null = $env.Add('ASIServicePrinicpal', ($res.appList[0].objectId)) + + Write-Host "Deploy authorization to allow automation rules" + $authorizationParams = Get-Content .\test\deployment-templates\authorization\template.parameters.json | ConvertFrom-Json + $authorizationParams.parameters.ASIServicePrinicpal.value = $env.ASIServicePrinicpal + set-content -Path .\test\deployment-templates\authorization\template.parameters.json -Value (ConvertTo-Json $authorizationParams) + $TemplateFile = (Get-ChildItem $TemplatePath\authorization\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\authorization\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Authorization -ResourceGroupName $resourceGroupName + start-sleep 60 + + #Create Automation Rule + Write-Host "Start to create test automation rule" + Create-AutomationRule -PSVerb Get -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb Remove -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb Update -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb UpdateViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + + #Create Bookmark + Write-Host "Start to create test bookmark" + Create-Bookmark -PSVerb Get -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb Remove -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb Update -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb Expand -WorkspaceName $env.workspaceName + + #Bookmark Expansion + $bookmarkExpansionId = (New-Guid).Guid + $null = $env.Add('bookmarkExpansionId', $bookmarkExpansionId) + + #Create Bookmark Realtion + Write-Host "Start to create test bookmark Relation" + Create-BookmarkRelation -PSVerb Get -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb Remove -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb Update -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Create DataConnector + Write-Host "Start to create test dataConnector" + $dataConnectorId = (New-Guid).Guid + $updateDataConnectorId = (New-Guid).Guid + $dataConnectorParams = Get-Content .\test\deployment-templates\dataConnector\template.parameters.json | ConvertFrom-Json + $dataConnectorParams.parameters.dataConnectorId.value = $dataConnectorId + $dataConnectorParams.parameters.updateDataConnectorId.value = $updateDataConnectorId + $dataConnectorParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\dataConnector\template.parameters.json -Value (ConvertTo-Json $dataConnectorParams) + $TemplateFile = (Get-ChildItem $TemplatePath\dataConnector\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\dataConnector\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name dataConnector -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add('dataConnectorId', $dataConnectorId) + $null = $env.Add('updateDataConnectorId', $updateDataConnectorId) + } + #Entity + #imported fake data so nothing needed to create in arm. + + #Create Entity Queriers + Write-Host "Start to create test entityQuery" + Create-EntityQuery -PSVerb Get -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb Remove -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb Update -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Entity Relations + #System built, can't test without data. Find way to import data? + + #Entity Timeline + #System built, can't test without data. Find way to import data? + + #Create Incident + Write-Host "Start to create test incident" + Create-Incident -PSVerb Get -WorkspaceName $env.workspaceName + Create-Incident -PSVerb Remove -WorkspaceName $env.workspaceName + Create-Incident -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-Incident -PSVerb Update -WorkspaceName $env.workspaceName + Create-Incident -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Incident Alert + #Custom data imported should trigger alert. + + #IncidentBookmark + #uses Bookmark Relation so no need to create anything new. + + #IncidentComment + Write-Host "Start to create test incident comment" + Create-IncidentComment -PSVerb Get -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb Remove -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb Update -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #IncidentEntity + #Custom data imported should trigger alert with entity + + #IncidentRelation + Write-Host "Start to create test incident relation" + Create-IncidentRelation -PSVerb Get -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb Remove -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb Update -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Metadata + #"sourceId": "azuresentinel.azure-sentinel-solution-zerotrust + Write-Host "Start to create test MetaData" + $metadataParams = Get-Content .\test\deployment-templates\metadata\template.parameters.json | ConvertFrom-Json + $metadataParams.parameters.workspace.value = $workspaceName + set-content -Path .\test\deployment-templates\metadata\template.parameters.json -Value (ConvertTo-Json $metadataParams) + $TemplateFile = (Get-ChildItem $TemplatePath\metadata\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\metadata\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name metadata -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add('metadataName', 'azuresentinel.azure-sentinel-solution-zerotrust') + } + + #OfficeConsent + #cant pre-create to test. + + #OnboardingState + #create additonal workspaces in first template + + #Setting + #Nothing to create + + #SourceControl + #SourceControlRepository + #nothing to create + + #ThreatIntelligeneceIndicator + Write-Host "Start to create test threat intelligence indicator" + Create-ThreatIntelligenceIndicator -PSVerb Get -WorkspaceName $env.workspaceName -IP "8.8.8.1" + Create-ThreatIntelligenceIndicator -PSVerb Remove -WorkspaceName $env.workspaceName -IP "8.8.8.2" + Create-ThreatIntelligenceIndicator -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -IP "8.8.8.3" + Create-ThreatIntelligenceIndicator -PSVerb Update -WorkspaceName $env.workspaceName -IP "8.8.8.4" + Create-ThreatIntelligenceIndicator -PSVerb UpdateViaId -WorkspaceName $env.workspaceName -IP "8.8.8.5" + + #ThreatIntelligeneceIndicatorMetric + #nothing to create + + # For any resources you created for test, you should add it to $env here. + $envFile = 'env.json' + if ($TestMode -eq 'live') { + $envFile = 'localEnv.json' + } + set-content -Path (Join-Path $PSScriptRoot $envFile) -Value (ConvertTo-Json $env) +} +function cleanupEnv() { + # Clean resources you create for testing + # Remove-AzResourceGroup -Name $env.resourceGroupName +} + diff --git a/src/SecurityInsights/utils/Unprotect-SecureString.ps1 b/src/SecurityInsights/utils/Unprotect-SecureString.ps1 new file mode 100644 index 000000000000..cb05b51a6220 --- /dev/null +++ b/src/SecurityInsights/utils/Unprotect-SecureString.ps1 @@ -0,0 +1,16 @@ +#This script converts securestring to plaintext + +param( + [Parameter(Mandatory, ValueFromPipeline)] + [System.Security.SecureString] + ${SecureString} +) + +$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString) +try { + $plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr) +} finally { + [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr) +} + +return $plaintext \ No newline at end of file